Mass Assignment Attack

API takes any parameter from user as input and assigns it to the data model without proper validation.

Example: User can register themselves as admin by setting a hidden parameter say isadmin to true while registering the in app by adding that parameter in the JSON request body while signing up.

---

Try Adding parameters manually in the requests and see if response varies

PAram miner extension

• right click - extensions param miner - guess parameters - guess JSON parameters - output in extender tab

---