AppSecNotes
Mass Assignment
A Mass Assignment vulnerability occurs when attackers are able to create or overwrite unprotected variables or objects in the code from a backend server. This happens due to modern frameworks sometimes allowing developers to directly bind HTTP request parameters in code variables or objects.
  1. Find requests that return data structures. Fields that map to user roles or fields that look to contain code (e.g. conversion_params: "-v codec h264") are a nice find (might be useful for chaining Mass Assignment to RCE).
  2. Search source code for data structures and object schemas.
    • finding const newUser = new User({req.body}); used with mongoose is an indication that all fields sent in a request might be being directly mapped to the "User" object without any filter.
  3. Check claims in JWTs for clues.
  4. Try updating interesting attributes in existing POST/PUT requests based on the info collected in the previous points. Some attributes aren't exposed by a GET request but it doesn't mean they don't exist and can't be updated by a POST or PUT.
  5. Create new POST/PUT requests from GET requests to try to change attributes. Can check with the OPTIONS method or fuzz HTTP methods for that request with the "HTTP verbs" list from Burp Suite.
It is worth checking registering a new user with "role" and "account_type" set as admin or administrator to see if it works.