exploiting-mass-assignment-in-rest-apis

# Exploiting Mass Assignment in REST APIs ## When to Use - When testing REST APIs that accept JSON input for creating or updating resources - During API security assessments of applications using ORM frameworks (Rails, Django, Laravel, Spring) - When testing user registration, profile update, or account management endpoints - During bug bounty hunting on applications with CRUD API operations - When evaluating role-based access control implementation in API-driven applications ## Prerequisites - Burp Suite or Postman for API request crafting and interception - Understanding of ORM auto-binding behavior in common frameworks - API documentation or endpoint discovery through reconnaissance - Multiple user accounts with different privilege levels for testing - Knowledge of common sensitive fields (role, isAdmin, verified, balance, price) - Arjun or param-miner for hidden parameter discovery > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1 — Discover API Structure and Fields ```bash # Examine API responses to identify all object fields curl -H "Authorization: Bearer USER_TOKEN" http://target.com/api/users/me | jq . # Response reveals fields: id, username, email, role, isAdmin, verified, balance # Check API documentation for exposed schemas curl http://target.com/api/docs curl ...