Mass Assignment

Check List

Methodology

Black Box

Mass Assignment / Over-Privileging

Find any endpoint that creates or updates a resource like Registration or Profile update

Do the normal flow once with your low-privilege account and intercept the request with Burp Suite

In the request body (JSON or form-data), add one by one these classic privileged parameters

"isAdmin": true,
"admin": true,
"role": "admin",
"role": "administrator",
"role": "superadmin",
"permissions": ["admin"],
"level": 999,
"is_staff": true,
"is_superuser": true,
"account_type": "premium",
"verified": true,
"email_verified": true

Send the modified request and check the response → if it’s 200/201 → possible win

Log out and log in again → check if you suddenly became admin

If you become an admin, the vulnerability is confirmed

White Box

Cheat Sheet

PreviousBroken Function Level Authorization NextSecurity Misconfiguration

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagMass Assignment / Over-Privileging

hashtagWhite Box

hashtagCheat Sheet