Quiz Entry - updated: 2026.07.05
What is Mass Assignment vulnerability?
An endpoint auto-binds every field in the request body to the internal object, so an attacker can set fields the form never exposed — send "isAdmin": true to an account-update call and become an admin.
Example scenario:
- API allows clients to modify account settings via
PATCH /account/ - Client sends:
{"account_name": "my savings account", "balance": 500, "currency": "CHF"} - If API binds ALL properties, attacker can modify fields they shouldn't
The vulnerability:
- API designed to update
account_nameonly - But also accepts
balanceorisAdminif sent - Exploits missing protection on specific fields/objects
Go deeper:
OWASP Mass Assignment Cheat Sheet — definition plus DTO/allowlist mitigations across frameworks.