Mass Assignment

Also known as: Autobinding vulnerability, Object injection

A vulnerability where an application blindly binds client-supplied request fields to internal object properties, letting attackers set fields they should not control.

Mass assignment occurs when frameworks (Rails, Spring, ASP.NET, NestJS, Django) automatically map incoming JSON or form fields onto model attributes without an explicit allow-list. An attacker can add extra properties — isAdmin, role, balance, tenantId — that the server then writes to the database. The flaw is hard to spot in code review because the assignment is implicit. It is also known as autobinding or object injection. Mitigations include explicit DTOs or input schemas, strict allow-lists of bindable fields, separating internal-only attributes from user-bindable models, and security tests that submit unexpected JSON keys.

Examples

Sending {"name":"Bob","isAdmin":true} to /api/users and being promoted to admin.
Updating an order with a hidden discount field via POST to bypass pricing rules.

Mass Assignment

Examples

Related terms

Broken Access Control

Parameter Tampering

Insecure Deserialization

Input Validation

API Security

Definition

Examples

Related terms

Broken Access Control

Parameter Tampering

Insecure Deserialization

Input Validation

API Security