testing-api-for-mass-assignment-vulnerability

Featured

Tests APIs for mass assignment (auto-binding) vulnerabilities where clients can modify object properties they should not have access to by including additional parameters in API requests. The tester identifies writable endpoints, adds undocumented fields to request bodies (role, isAdmin, price, balance), and checks if the server binds these to the data model without filtering. Part of OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving mass assignment testing, parameter binding abuse, auto-binding vulnerability, or API over-posting.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Testing API for Mass Assignment Vulnerability ## When to Use - Testing API endpoints that accept JSON/XML request bodies for user profile updates, registration, or object creation - Assessing whether the API binds all client-supplied properties to the data model without an allowlist - Evaluating if users can set privileged attributes (role, permissions, pricing, balance) through regular update endpoints - Testing APIs built with ORMs that auto-bind request parameters to database models - Validating that server-side input validation restricts writeable properties per user role **Do not use** without written authorization. Mass assignment testing involves modifying object properties in potentially destructive ways. ## Prerequisites - Written authorization specifying target API endpoints and scope - Test accounts at different privilege levels - API documentation or OpenAPI specification to identify expected request fields - Burp Suite Professional for request interception and parameter injection - Python 3.10+ with `requests` library - Knowledge of the backend framework (Rails, Django, Express, Spring) to predict parameter binding behavior ## Workflow ### Step 1: Identify Writable Endpoints and Expected Parameters ```python import requests import json import copy BASE_URL = "https://target-api.example.com/api/v1" user_headers = {"Authorization": "Bearer <user_token>", "Content-Type": "application/json"} # Identify endpoints that accept write operations writable_endpo...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Django · Backend

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Featured

exploiting-mass-assignment-in-rest-apis

Discover and exploit mass assignment vulnerabilities in REST APIs to escalate privileges, modify restricted fields, and bypass authorization controls by injecting unexpected parameters in API requests.

12,642 Updated today
mukul975
API & Backend Featured

exploiting-excessive-data-exposure-in-api

Tests APIs for excessive data exposure where endpoints return more data than the client application needs, relying on the frontend to filter sensitive fields. The tester intercepts API responses and analyzes them for leaked PII, internal identifiers, debug information, or sensitive business data that the UI does not display but the API transmits. This maps to OWASP API3:2023 Broken Object Property Level Authorization. Activates for requests involving API data leakage testing, excessive data exposure, response filtering bypass, or API over-fetching.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-broken-object-property-level-authorization

Detect and test for OWASP API3:2023 Broken Object Property Level Authorization vulnerabilities including excessive data exposure and mass assignment attacks.

12,642 Updated today
mukul975
API & Backend Featured

testing-api-for-broken-object-level-authorization

Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.

12,642 Updated today
mukul975
API & Backend Featured

exploiting-api-injection-vulnerabilities

Tests APIs for injection vulnerabilities including SQL injection, NoSQL injection, OS command injection, LDAP injection, and Server-Side Request Forgery (SSRF) through API parameters, headers, and request bodies. The tester crafts malicious payloads targeting different backend technologies and injection contexts to extract data, execute commands, or access internal services. Maps to OWASP API8:2023 Security Misconfiguration and API7:2023 SSRF. Activates for requests involving API injection testing, SQLi in APIs, NoSQL injection, SSRF testing, or API input validation assessment.

12,642 Updated today
mukul975