Deepshikha Paty
DI-ASM
What is it?
Mass assignment happens when your app automatically accepts and updates data from the user without checking what data is being sent.
It lets attackers change things they’re not supposed to, like making themselves an admin
This becomes dangerous when:
- The user adds extra fields (like
isAdmin,credit, etc.) - Your app blindly saves it to the database, even if those fields should never be changed by the user
How does it happen?
Imagine a signup form that asks for:
- Name
- Username
- Password
Example 1 :
Example
The database also has a credit field (default = 50), which users shouldn’t change.
But a hacker sends this extra data:
{ "name": "Eve", "username": "eve123", "password": "1234", "credit": 1000 }
If your backend automatically saves everything sent, then credit = 1000 will be stored! 😱
Example 2 :
Example
- An e-commerce app lets users update their profile via an API call, like changing their name or email.
- The backend automatically binds all fields from the request without filtering allowed fields.
- An attacker adds
"role": "admin"in the request body, and the server accepts it — making the attacker an admin.
This is an example of Mass Assignment because the backend allows sensitive fields to be updated directly by users, without proper validation or restrictions.
🎯 Why is it risky?
- Users can increase their credit or change sensitive info like
isAdmin: true - They may tamper with data, giving them more access or benefits
- Leads to privilege escalation and data integrity issues
✅ How to prevent this?
- Only allow specific fields to be saved (use "allowlist" or
fillable) - Avoid saving everything the user sends without checking
- Know how your framework handles data binding
- Use security filters for create/update operations on models