Mass Assignment
What is Mass Assignment?
Mass AssignmentA vulnerability where an application blindly binds client-supplied request fields to internal object properties, letting attackers set fields they should not control.
Mass assignment occurs when frameworks (Rails, Spring, ASP.NET, NestJS, Django) automatically map incoming JSON or form fields onto model attributes without an explicit allow-list. An attacker can add extra properties — isAdmin, role, balance, tenantId — that the server then writes to the database. The flaw is hard to spot in code review because the assignment is implicit. It is also known as autobinding or object injection. Mitigations include explicit DTOs or input schemas, strict allow-lists of bindable fields, separating internal-only attributes from user-bindable models, and security tests that submit unexpected JSON keys.
● Examples
- 01
Sending {"name":"Bob","isAdmin":true} to /api/users and being promoted to admin.
- 02
Updating an order with a hidden discount field via POST to bypass pricing rules.
● Frequently asked questions
What is Mass Assignment?
A vulnerability where an application blindly binds client-supplied request fields to internal object properties, letting attackers set fields they should not control. It belongs to the Vulnerabilities category of cybersecurity.
What does Mass Assignment mean?
A vulnerability where an application blindly binds client-supplied request fields to internal object properties, letting attackers set fields they should not control.
How do you defend against Mass Assignment?
Defences for Mass Assignment typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mass Assignment?
Common alternative names include: Autobinding vulnerability, Object injection.