Skip to content

Injection: Mass Assignment

Identifier: mass_assignment

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Mass assignment vulnerabilities occur when applications automatically assign user-supplied data to objects without filtering unwanted fields, potentially allowing attackers to modify sensitive properties or escalate privileges.

How we test: We send requests with additional properties beyond what is expected and analyze responses to detect if unauthorized fields are accepted and processed. We test for mass assignment vulnerabilities by attempting to set sensitive properties that should not be user-controllable.

Execution conditions (BLST):

  • Runs when this test is enabled, coverage is OK, EMPTY_RESPONSE, or VALIDATION_ERROR, operation is CREATE or UPDATE, and request body is a JSON object.
  • Alerts are raised only when fuzzed responses are OK and the response is JSON.

Configuration

Example

Example configuration:

---
security_tests:
  mass_assignment:
    skip: false

Reference

skip

Type : boolean

Skip the test if true.