Mass assignment occurs when an application accepts a request body with multiple parameters and automatically maps those parameters onto an internal object or model without tightly controlling which fields are allowed. If the developer assumes the client will only send the expected fields, then an attacker can include additional parameters in the request to set properties that were never intended to be user-controlled.
A common example is a profile update request that legitimately allows a user to change their display name or telephone number. If the same endpoint also accepts hidden fields such as is_admin, role, account_balance, or email_verified, and the server binds them directly to the underlying model, the attacker may be able to alter sensitive state simply by adding extra parameters to the request.
This issue is particularly common in modern web frameworks and APIs that make object binding convenient. If the application does not explicitly restrict to only the allowed fields or implement proper access controls on sensitive properties, mass assignment can lead to critical security weaknesses.
The impact can be severe because mass assignment often bypasses intended business rules very efficiently. It can lead to privilege escalation, unauthorised account changes, manipulation of financial values, or exposure of administrative functionality. In APIs, it may allow attackers to set fields that affect how the application processes requests, leading to further vulnerabilities such as injection or logic flaws.
Mass assignment is an weakness that’s often found during API penetration testing and web application penetration testing where object binding is used.