Security Test: Mass Assignment¶
Description¶
Default Severity:
Mass assignment happens when an application automatically assigns user-supplied data to an object without properly filtering out unwanted fields. This can be dangerous because an attacker might include extra properties in a request that, if accepted, could grant them unauthorized access or let them modify sensitive configurations. The common mistake is not explicitly limiting which fields the application accepts from user input, which leaves room for manipulation and potential privilege escalation if an attacker can control critical properties.
Configuration¶
Identifier:
injection/mass_assignment
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API1:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 915 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N |
| CVSS Score | 9.3 |