Online Courses
API Penetration Testing Course
Online Courses
API Penetration Testing Course
  • Introduction
  • Setting Up
    • Tools
    • Hacking Lab
  • API Reconnaissance
    • Introduction to API Reconnaissance
    • Passive Reconnaissance
      • Google Dorking
      • GitDorking
      • TruffleHog
      • API Directories
      • Shodan
      • The Wayback Machine
    • Active Reconnaissance
      • Nmap
      • OWASP Amass
      • Directory Brute-force with Gobuster
      • Kiterunner
      • DevTools
      • Directory Brute-Forcing
  • Endpoint Analysis
    • Reverse Engineering an API
    • Excessive Data Exposure
    • Assessment
  • Scanning APIs
    • Finding Security Misconfigurations
    • Scanning APIs with OWASP ZAP
    • Assessment
  • Authentication Attacks
    • Classic Authentication Attacks
      • Note on Base64 Encoding
    • Token Attacks
    • Assessment
  • Exploiting API Authorization
    • Exploiting API Authorization
    • Broken Object Level Authorization (BOLA)
    • Broken Function Level Authorization (BFLA)
    • Assessment
  • Improper Assets Management
    • Improper Assets Management
    • Finding Improper Assets Management Vulnerabilities
    • Assessment
  • Mass Assignment
    • Mass Assignment Attacks
    • Other Mass Assignment Vectors
    • Hunting for Mass Assignment
    • Assessment
  • Exploiting Server-Side Request Forgery
    • Server-Side Request Forgery
    • Types of SSRF
    • Ingredients for SSRF
    • Testing for SSRF
    • Assessment
  • Injection Vulnerabilities
    • Testing for Injection Vulnerabilities
    • Discovering Injection Vulnerabilities
      • SQL Injection Metacharacters
      • NoSQL Injection
      • OS Injection
    • Fuzzing Wide with Postman
    • Fuzzing Deep with WFuzz
    • Assessment
  • Evasion and Combining Techniques
    • Evasive Maneuvers
    • Combining Techniques
Powered by GitBook
On this page
  1. Mass Assignment

Other Mass Assignment Vectors

Mass assignment attacks go beyond making attempts to become an administrator.

You could also use mass assignment to gain unauthorized access to other organizations, for instance. If your user objects include an organizational group that allows access to company secrets or other sensitive information, you can attempt to gain access to that group. In this example, we’ve added an "org" variable to our request and turned its value into an attack position we could then fuzz in Burp Suite:

POST /api/v1/register
--snip--
{
"username":"hAPI_hacker",
"email":"hapi@hacker.com",
"org": "§CompanyA§",
"password":"Password1!"
}

If you can assign yourself to other organizations, you will likely be able to gain unauthorized access to the other group’s resources. To perform such an attack, you’ll need to know the names or IDs used to identify the companies in requests. If the "org" value was a number, you could brute-force its value, like when testing for BOLA, to see how the API responds.

Do not limit your search for mass assignment vulnerabilities to the account registration process. Other API functions are capable of being vulnerable. Test other endpoints used for updating accounts, updating group information, user profiles, company profiles, and any other requests where you may be able to assign yourself additional access.

PreviousMass Assignment AttacksNextHunting for Mass Assignment

Last updated 1 year ago