LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is Mass Assignment vulnerability?

An endpoint auto-binds every field in the request body to the internal object, so an attacker can set fields the form never exposed — send "isAdmin": true to an account-update call and become an admin.

Example scenario:

  • API allows clients to modify account settings via PATCH /account/
  • Client sends: {"account_name": "my savings account", "balance": 500, "currency": "CHF"}
  • If API binds ALL properties, attacker can modify fields they shouldn't

The vulnerability:

  • API designed to update account_name only
  • But also accepts balance or isAdmin if sent
  • Exploits missing protection on specific fields/objects

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 05, 2026