Mass Assignment Attacks

API3-Broken Object Property Level Authorization (BOPLA)

Testing Account Registration for Mass Assignment in API Security

Intercepting and Testing Account Registration for Mass Assignment in crAPI

1. Intercept Account Registration Request

Using a browser, submit data for creating a new account in crAPI.
Set FoxyProxy to proxy traffic to Burp Suite.
Intercept Account Registration Request
Submit the form and ensure the request is intercepted with Burp Suite.
Intercepted Request

2. Send Request to Repeater

Send the intercepted request to Repeater for further analysis.
Before any attacks, submit a successful request to establish a baseline.

3. Test for Mass Assignment

Test the registration process for mass assignment.
Attempt to upgrade an account to an administrator role by adding variables used to identify admins.
If no admin documentation is available, try adding variables like:
- "isadmin": true
- "isadmin": "true"
- "admin": 1
- "admin": true
Analyze API responses for any indications of success or failure.

4. Use Intruder for Further Testing

Use Intruder to test various options by placing attack positions around the "isadmin" and "true" values.
Set the attack type to cluster bomb and add payloads for positions 1 and 2.
Review results for any unique findings.

Fuzzing for Mass Assignment with Param Miner

Ensure Param Miner is installed as a Burp Suite extension.
Right-click on a request to mine parameters using Param Miner.
Configure Param Miner options and click OK.
Navigate to Extender-Extensions, select Param Miner, and check the Output tab for results.
Insert any new parameters detected back into the original request and fuzz for results.

Other Mass Assignment Vectors

Mass assignment attacks extend beyond becoming an administrator.
Explore unauthorized access to other organizations.
If user objects include organizational groups, attempt to gain access to those groups.
Example: Add an "org" variable to the request and fuzz its value to potentially gain unauthorized access.

Hunting for Mass Assignment

Analyze the target API collection for requests that:
- Accept user input.
- Have the potential to modify objects.
Create a new collection for mass assignment testing to avoid damaging the original collection.
Duplicate interesting requests and update unresolved variables.
Understand the purpose of each request in the API collection.
Test other endpoints used for updating accounts, group information, user profiles, company profiles, etc.

PreviousImproper Assets Management NextSSRF

Last updated 10 months ago

Testing Account Registration for Mass Assignment in API Security

Intercepting and Testing Account Registration for Mass Assignment in crAPI

1. Intercept Account Registration Request

Using a browser, submit data for creating a new account in crAPI.

Set FoxyProxy to proxy traffic to Burp Suite.

Submit the form and ensure the request is intercepted with Burp Suite.

2. Send Request to Repeater

Send the intercepted request to Repeater for further analysis.

Before any attacks, submit a successful request to establish a baseline.

3. Test for Mass Assignment

Test the registration process for mass assignment.

Attempt to upgrade an account to an administrator role by adding variables used to identify admins.

If no admin documentation is available, try adding variables like:

"isadmin": true
"isadmin": "true"
"admin": 1
"admin": true

Analyze API responses for any indications of success or failure.

4. Use Intruder for Further Testing

Use Intruder to test various options by placing attack positions around the "isadmin" and "true" values.

Set the attack type to cluster bomb and add payloads for positions 1 and 2.

Review results for any unique findings.

Fuzzing for Mass Assignment with Param Miner

Ensure Param Miner is installed as a Burp Suite extension.

Right-click on a request to mine parameters using Param Miner.

Configure Param Miner options and click OK.

Navigate to Extender-Extensions, select Param Miner, and check the Output tab for results.

Insert any new parameters detected back into the original request and fuzz for results.

Other Mass Assignment Vectors

Mass assignment attacks extend beyond becoming an administrator.

Explore unauthorized access to other organizations.

If user objects include organizational groups, attempt to gain access to those groups.

Example: Add an "org" variable to the request and fuzz its value to potentially gain unauthorized access.

Hunting for Mass Assignment

Analyze the target API collection for requests that:

Accept user input.
Have the potential to modify objects.

Create a new collection for mass assignment testing to avoid damaging the original collection.

Duplicate interesting requests and update unresolved variables.

Understand the purpose of each request in the API collection.

Test other endpoints used for updating accounts, group information, user profiles, company profiles, etc.