Mass Assignment

Mass Assignment is a vulnerability where a web application automatically binds user input to internal object fields without proper restrictions.

Because of this, an attacker can modify hidden or sensitive parameters (like role, is_admin, price, etc.) that the application did not intend users to control.

Example:

Normal signup request:

{
  "email": "[email protected]",
  "password": "Password123"
}

Attacker modifies it to:

{
  "email": "[email protected]",
  "password": "Password123",
  "role": "admin"
}

If the backend accepts all parameters, the attacker can create an admin account or escalate privileges.