LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

How does a Mass Assignment attack work in practice?

The attacker simply adds an extra parameter the form never showed (&isAdmin=true); because the server blindly maps request fields onto the User object, the hidden isAdmin field gets set.

Mass assignment: attacker appends isAdmin=true; the server auto-binds every field onto the object, escalating privilege.

* Mass assignment — an extra request field (isAdmin=true) is auto-bound onto the object, setting a property the form never exposed. *

Vulnerable form:

<form>
  <input name="userid">
  <input name="password">
  <input name="email">
</form>

Server object:

public class User {
    private String userid;
    private String password;
    private String email;
    // Hidden field!
    private boolean isAdmin;
}

Normal request:

POST /addUser
userid=bob&password=hashedpass&email=bob@tables.com

Exploit:

POST /addUser
userid=bob&password=hashedpass&email=bob@tables.com&isAdmin=true

The isAdmin field gets set because the binding is too permissive!

From Quiz: SPRG / OWASP Top 10 | Updated: Jun 20, 2026