Mass Assignment
detect, understand, remediate
Mass assignment occurs when an application automatically binds request parameters to internal data models without filtering, letting attackers modify protected fields like roles, prices, or permissions.
No credit card required. Free plan available forever.
What is mass assignment?
Mass assignment (CWE-915) is a vulnerability that occurs when an application automatically binds user-supplied input to internal data model properties without restricting which fields can be set. Attackers exploit this by including additional, unexpected fields in API requests or form submissions, modifying attributes they should never have access to, such as role, isAdmin, price, or account balance.
This vulnerability is prevalent in modern web frameworks that offer convenient auto-binding features. Ruby on Rails, Django, Laravel, Spring Boot, and Node.js frameworks like Express with body-parser all provide mechanisms that map incoming request parameters directly to database models. While this accelerates development, it creates a dangerous attack surface when developers fail to explicitly define which fields are safe for user modification. The result is a form of privilege escalation where regular users can grant themselves administrative access.
Mass assignment vulnerabilities are particularly insidious because they often exist in seemingly secure endpoints. An API that properly authenticates users and validates required fields may still be vulnerable if it does not explicitly filter out protected attributes. The GitHub breach of 2012, where a user gained admin access to the Rails repository by adding a public key to another user's account via mass assignment, remains one of the most well-known examples of this vulnerability class.
How it works
Inspect API request and response
The attacker examines API responses, documentation, or client-side code to identify all fields associated with a data model, including internal fields not exposed in the user interface.
Identify hidden or admin-only fields
By comparing the request body with the response object, the attacker discovers fields like role, isVerified, accountType, or discount that exist on the model but are not present in the form.
Add extra fields to request body
The attacker modifies the request to include the protected fields. For example, adding "role": "admin" or "price": 0 to a profile update or checkout request.
Modify protected attributes
If the server auto-binds the entire request body to the model without filtering, the injected fields are saved to the database, granting the attacker elevated privileges or manipulating business-critical data.
Common causes
Auto-binding request parameters to models
Frameworks that automatically map all incoming request fields to database model properties without requiring developers to explicitly declare which fields are writable. A single User.update(req.body) call exposes every column.
Missing allowlists for writable fields
Developers fail to define strong parameters, permitted attributes, or fillable/guarded properties that explicitly limit which fields can be set through user input, leaving internal fields modifiable.
ORM auto-mapping without field restrictions
Object-Relational Mappers that accept arbitrary key-value pairs and persist them directly to the database. Without column-level restrictions, any field in the schema becomes a potential target.
GraphQL input types exposing internal fields
GraphQL mutations with input types that mirror the full database schema, including administrative fields. Attackers can add these fields to mutation variables and modify protected attributes through <Link href="/vulnerabilities/graphql-vulnerabilities" className="text-emerald-400 hover:underline">GraphQL-specific attack vectors</Link>.
How to detect it
Automated detection
- SecPortal's code scanning identifies auto-binding patterns in source code, flagging instances where request bodies are passed directly to ORM update or create methods without field filtering
- Automated parameter fuzzing tests inject unexpected fields (role, isAdmin, verified) into API endpoints and compare before and after states to detect unauthorized attribute modification
- API schema review tools compare OpenAPI or GraphQL schema definitions against actual request handling code to identify fields that are accepted but should not be writable
Manual testing
- Capture a legitimate API request, add extra fields (role, permissions, balance, discount) to the JSON body, and check whether the response or database reflects the injected values
- Review the API response for fields that exist on the model but are not present in the user interface; these are strong candidates for mass assignment targets
- Test GraphQL mutations by adding undocumented fields to the input variables and observing whether the server accepts and persists them without validation errors
How to fix it
Use explicit allowlists (strong parameters)
Define a strict list of fields that users are permitted to modify. In Rails, use strong parameters (permit). In Django, use serializer fields. In Express, destructure only the allowed properties from req.body.
Implement DTOs and view models
Create dedicated Data Transfer Objects for each API endpoint that define exactly which fields are accepted as input. Map these DTOs to your internal models explicitly, never passing raw request data to the ORM.
Separate read and write models
Use different models or schemas for reading and writing. The write model should only include fields the user is allowed to modify, while the read model can include computed or admin-only fields in responses.
Disable auto-binding by default
Configure your framework to require explicit field mapping rather than automatic binding. In Rails, enable required mass assignment protection. In Spring, use @JsonIgnore on sensitive properties.
Add schema validation at the API boundary
Use JSON Schema, Zod, Joi, or similar validation libraries to define the exact shape of accepted request bodies. Reject requests that contain any fields not in the schema, including unknown properties.
Compliance impact
Detect mass assignment flaws
SecPortal's code scanner identifies unfiltered parameter binding across Rails, Django, Express, and Spring applications. Start free.
No credit card required. Free plan available forever.