Injection: Mass Assignment¶

Identifier: mass_assignment

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Mass assignment happens when an application automatically assigns user-supplied data to an object without properly filtering out unwanted fields. This can be dangerous because an attacker might include extra properties in a request that, if accepted, could grant them unauthorized access or let them modify sensitive configurations. The common mistake is not explicitly limiting which fields the application accepts from user input, which leaves room for manipulation and potential privilege escalation if an attacker can control critical properties.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  mass_assignment:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.