Mass Assignment

Welcome folks, This article will be a quick review about:

1. What's Mass Assignment.

2. How to hunt for it.

3. Resources about the vulnerability.

What's Mass Assignment:

[+] Mass Assignment describes the behavior of adding more variables than needed for a specific request or editing on values that shouldn't being directly editable by normal users which can cause in unintended results. For example, The admin user tries to edit his username of his account so the following POST request is initiated:

POST /api/v1/user/me HTTP/1.1
Host: example.com
Content-Type: application/json
................

{
    "username":"administrator" , 
    "email":"admin@example.com" , 
    "isAdmin": true
}

So there's a parameter responsible of indicating if the account is admin or a regular user which is(isAdmin), But when a regular user or customer uses the same function the following POST request is initiated:

POST /api/v1/user/me HTTP/1.1
Host: example.com
Content-Type: application/json
................

{
    "username":"customer", 
    "email":"customer123@gmail.com"
}

As you can see the parameter (isAdmin) isn't included in the request in case of a regular/customer account, The customer in that situation might end up having the same privilege as the admin account if the API didn't sanitize that value properly. Another example i've read about, The researcher tried to start reset-password process and when he visited the the link received in his mailbox and tried to fill up the required inputs with intercepting the request it was something like the following:

PUT /api/users/reset-password
Host: target.com
Content-Type: application/json
...............

{
    "newpass":"Letmein123",
    "token","5123sHs2aZZ2g...."
}

The researcher tried to add another email instead of the email initiated the reset-password request (as a victim account) to make the request look like:

PUT /api/users/reset-password
Host: target.com
Content-Type: application/json
...............

{
    "email":"victim@gmail.com",
    "newpass":"Letmein123",
    "token","5123sHs2aZZ2g...."
}

And he noticed that he could log into the account with the new password which make at an Account Takeover vulnerability.

How to hunt for it:

[+] If there's an API documentation then it's the best place to gather parameters and look for the one that looks interesting or look for the documentation of the framework used by the target. Except that you need to walk-through the application and its functions like user account properties, critical functions, and administrative actions and the responses received by these functions where it can reveals interesting parameters besides using tools like (arjun , Param Miner) to guess the parameters.

Resources about the vulnerability:

• https://www.traceable.ai/owasp-api/mass-assignment
• https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md
• Hacking APIs book.

I hope if that could help even a little bit, If you've a question you can ask me at:

• https://www.facebook.com/0xno0nex0/
• https://www.linkedin.com/in/abd-elmonsef-sobhy-58542a1a7/