Mass Assignment
Start course

This course focuses on API Security and explains the kinds of vulnerabilities that we can find inside APIs, how to exploit them, and how to secure them as well. These skills will allow you to obtain bug bounties from vulnerabilities and also protect your own APIs as well.


Hi, within this lecture, we're going to take a look at the API6 challenge. Now, we are at the API6. It says that mass assignment, and we have a clue. We have a hint again for the mass assignment, it says that, "Welcome to our store. We will give you credits if you behave nicely. Our credit management is super secure." Great. Now, if we sign up for a account, like if we sign up with a username and password, I believe we're going to get something back, like a credit back, and let's see. So, we already have two endpoints over here, we're just going to give the username and password and address and mobile number. Then we can just get the user's details in the next endpoint, so this is pretty standard. So, I'm just going to come over here to create user and go to body, and here we go. In the test again, we get an authentication key once we do that. So, I'm just going to go for the name, username and password. And name, username, I'm just going to write my own name. Password, I'm just going to write atil123. If we do that we get the name, username and ID. Okay, so if I go to get user, if I just send this as a request, and by the way, over here we see something like user/me. So, let's try to see if there's something like that. It asks for an ID, but over here we see user/me, maybe it works with the authentication key. Here we go. So, I believe the developer has changed this a little bit because we don't see any address or mobile no over here but we see ID name, username. Again, it doesn't matter, because if I try to change this to 1, 2, something like that. As you can see we're not getting this, I believe we should stick to the latest version and just write it or run this as me and here we go. The idea over here is that we have an extra parameter over here called credit, and it gets it with my authentication key, and as far as the body concerned, we're not sending anything back, we're getting the right ID name and username but we are getting the credit as zero. So, what can we do? We can try to send this name, username and password, but maybe we can try to add the credit as a parameter to ourselves, like we can just send this credit even if it's not asked us to do. We can try that. We can try to create a new user with it and maybe it will work, maybe it will not, let's see. So, what I'm going to do, I'm going to come over here, so aside from the name, username and password, these are all like required parameters. If we don't send them, it won't work. But maybe if we add some new parameter that we know that it exists in the database, maybe it will work. So, I'm going to change the name and username. Okay, I'm going to change it to atlas and I'm going to add an in parameter, I'm going to say credit. And for the credit, I'm just going to write some random number like 500. It doesn't matter what you write, but don't forget about the commas and make sure that you have respected the JSON format otherwise it won't work. So, if I send this, I get an ID back, great. Maybe I can just go ahead and try to see if this authentication token has been renewed?  Yep. Now I will send this and here we go. Now I have the credit. I have the atlas, I have the credit, and I have the flag. Now what did I do? I have seen the credit parameter in the get so I have thought that why not just add this as a parameter in the post request as well? So, it should have checked against it, but it didn't, and like in the real life, there are a lot of APIs you can find it like this, admin true, because they are all sending this by default admin false. Even if you don't see it, you can try to add this. So, I believe this was a great example of the mass assignment vulnerability. So, rather than the admin true, of course we're sending credit 500, but again, if you don't want to do it in the Postman, you can also send this to Burp Suite. You can see the thing over here, you can just send this to Repeater and try and repeat the process over there so that you can see it yourself. So, I'm going to turn this off because we already have seen that. Great. Now, we are good to go with the API6. Now I'm going to stop here and continue within the next one.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.