APIs are the foundation building blocks for today’s modern applications and because of such high acceptance there are software frameworks available to help the developers with the implementation, but these frameworks sometimes allow developers to automatically bind client’s request parameters into the code variables, opening gates for the attackers to exploit the Mass Assignment vulnerability.
API Mass Assignment vulnerability occurs when manually crafted requests from clients to modify immutable internal object properties are not restricted by API Endpoints.
Attackers can take advantage of this vulnerability by framing an HTTP request to escalate user privilege, bypass security mechanisms or use any other approach to make the API Endpoints work in a way it was not designed to work.
The above image is the pictorial representation of possible exploitation of Mass Assignment vulnerability. You can see the attacker is successfully able to escalate his privilege from normal user to admin by manipulating the JSON content of the API request.
In the first scenario, the attacker sends a valid API request to add the user and gets a response back with a parameter carrying information about the role.
In the second scenario, the attacker adds the role parameter to the JSON object in the API request eventually resulting in successful exploitation of the vulnerability.
Automatic binding of client’s input data into application's internal code variables should be avoided.
Allow/Deny list should be clearly defined for the properties that should or shouldn't be accessible by the clients.
Application schema should be well defined and enforced on all incoming client requests.