← QA Sandbox
Security Intermediate 5 tests

Mass Assignment

The server exposes two user-creation endpoints. One blindly maps all request fields onto the user object - including privileged fields the client should never control. Find which fields slip through and what they unlock.

What is Mass Assignment?

Mass assignment occurs when a server applies all fields from a user payload directly to a model without a whitelist. Attackers inject extra fields - is_admin, role, account_balance - that the API was never meant to expose. The safe endpoint demonstrates the correct fix: an explicit field whitelist.

What is hidden here

Test 1 POST /mass-assignment/ with is_admin=true - flag accepted and set on user record (bug)
Test 2 POST with role=admin - role overwritten on unsafe endpoint (bug)
Test 3 POST with account_balance=99999 - balance field accepted (bug)
Test 4 POST to safe endpoint with is_admin=true - extra field ignored (true positive)
Test 5 POST with only name and email - user created correctly (true negative)
Endpoint A - Unsafe
POST /qa-sandbox/mass-assignment/
endpoint=unsafe (default)
Accepts all POST fields and maps them directly onto the user record. Privileged fields are never filtered.
Endpoint B - Safe
POST /qa-sandbox/mass-assignment/
endpoint=safe
Whitelists only name and email. All other fields are silently dropped before the record is created. 

  


  
  

    
Custom Payload

    

      
      
    

    

      

        
        
      

      

        
        
      

    

    
    

    
  


  
  

    
    

      

        Send is_admin=true to the unsafe endpoint - check if is_admin
        appears as true in the returned user record.
      

      

        Try both spellings: is_admin and isAdmin - both are accepted by the unsafe endpoint.
      

      

        Add role=superuser alongside normal fields - does the server return the overridden role?
      

      

        Try account_balance=-500 - negative values are accepted without validation.
      

      

        Repeat the same payloads against endpoint=safe and confirm each extra field
        appears in rejected_fields, not in the user record.
      

    

  


  
  

    
Postman / API Guide

    
All tests hit POST /qa-sandbox/mass-assignment/ with x-www-form-urlencoded body.

    
Switch endpoints by including endpoint=unsafe or endpoint=safe in the body.


    
Test 1 - Privilege escalation (unsafe endpoint)

    
POST /qa-sandbox/mass-assignment/
Content-Type: application/x-www-form-urlencoded

name=attacker&email=x%40x.com&is_admin=true&endpoint=unsafe


    
Test 2 - Role override

    
POST /qa-sandbox/mass-assignment/
Content-Type: application/x-www-form-urlencoded

name=attacker&email=x%40x.com&role=admin&endpoint=unsafe


    
Test 3 - Balance manipulation

    
POST /qa-sandbox/mass-assignment/
Content-Type: application/x-www-form-urlencoded

name=attacker&email=x%40x.com&account_balance=99999&endpoint=unsafe


    
Test 4 - Safe endpoint blocks is_admin

    
POST /qa-sandbox/mass-assignment/
Content-Type: application/x-www-form-urlencoded

name=attacker&email=x%40x.com&is_admin=true&endpoint=safe


    
Expected response shape (bug found)

    
{
  "status": "bug_found",
  "icon": "🎉",
  "title": "Bug Found - Mass Assignment Vulnerability",
  "user_record": {
    "name": "attacker",
    "email": "x@x.com",
    "role": "user",
    "is_admin": true
  },
  "accepted_fields": ["name", "email", "is_admin", "endpoint"]
}