Mass Assignment in vAPI

Prathamesh Khatavkar
3 min readApr 21, 2023

In this article, we are going to explore and exploit the Mass Assignment vulnerability walkthrough in vAPI.

Before proceeding, we will assume that the project (vAPI, Burpsuite, Postman) is installed and configured properly and everything is in good shape to start with.

  • Definition:

This is a vulnerability in which an attacker can append and assign rights/parameters illegitimately to entities that they are not authorized to, which results in privilege escalation.

  • Understanding scenario

First thing starts analyzing the API request structure manually in Postman, so we started analyzing the Create User request, from looking at it we can sense that it is a normal user creation POST request with parameters name, username, and password so we created one test user with arbitrary information.

fig. Create User request analysis

According to the response, it created a user with the specified username and assigned it an id. Now let’s look at the Get User request. Because no user input is required, we made the request directly, and in the response, we discovered that after user creation, the backend method is assigning an account with the parameter name Credit, which is initially 0. Nice Nice! it appears that we have discovered something that we can use.

fig. Get User request analysis

Based on our findings, we may assume that if the create user API is vulnerable to Mass Assignment, then we can create and assign an arbitrary quantity of credits to our account at the time of creation.

  • Attacking

Simply, we created a new account in Creat User with a different credentials, inserted an extra parameter credit with an arbitrary value (as seen in the figure below), and sent the request. BOOM!! The request was accepted, and an id was assigned.

fig. forged Creat User request submission

Now it’s time to see if the credit assignment was successful or not. So we sent the Get User request as is, and in return, we received 1000 credits for our newly established account with a flag.

fig. final Get User request submission

I wish my bank account was vulnerable in this way.

--

--

Prathamesh Khatavkar

Information Security Engineer | Security Enthusiast | Noble Hacker | World is free place then why pay for knowledge |