exploiting-mass-assignment-in-rest-apis
CommunityDetect and exploit mass assignment in REST APIs
Software Engineering#automation#orm#api-security#rest-api#privilege-escalation#burp-suite#mass-assignment
AuthorAcczdy
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill helps security testers discover and validate mass assignment vulnerabilities where APIs accept and persist unexpected client-controlled fields, enabling privilege escalation, financial manipulation, or bypassing verification and authorization controls.
Core Features & Use Cases
- Field Discovery: Compare request and response schemas and use parameter discovery tools to find hidden or accepted fields.
- Injection Testing: Inject common sensitive field names (role, isAdmin, balance, verified, owner_id) into create/update endpoints to verify acceptance.
- Automation & Reporting: Provide an automated agent to iterate field payloads, detect accepted fields, and produce a findings report with remediation guidance.
- Use Case: API security assessment or bug bounty testing on applications using ORM autobinding (Rails, Django, Laravel, Spring) to identify missing allowlists and field-level authorization checks.
Quick Start
Test the target API by sending unexpected JSON parameters to update endpoints and report any accepted restricted fields that allow privilege escalation or business logic manipulation.
Dependency Matrix
Required Modules
requests
Components
scriptsreferences
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: exploiting-mass-assignment-in-rest-apis Download link: https://github.com/Acczdy/MoZiSec/archive/main.zip#exploiting-mass-assignment-in-rest-apis Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.