Quiz Entry - updated: 2026.06.20
How does a Mass Assignment attack work in practice?
The attacker simply adds an extra parameter the form never showed (&isAdmin=true); because the server blindly maps request fields onto the User object, the hidden isAdmin field gets set.
* Mass assignment — an extra request field (isAdmin=true) is auto-bound onto the object, setting a property the form never exposed. *
Vulnerable form:
<form>
<input name="userid">
<input name="password">
<input name="email">
</form>
Server object:
public class User {
private String userid;
private String password;
private String email;
// Hidden field!
private boolean isAdmin;
}
Normal request:
POST /addUser
userid=bob&password=hashedpass&email=bob@tables.com
Exploit:
POST /addUser
userid=bob&password=hashedpass&email=bob@tables.com&isAdmin=true
The isAdmin field gets set because the binding is too permissive!