Additional Properties Mass Assignment Fields Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | AdditionalPropertiesMassAssignmentFieldsFuzzer |
| Log Key | APMAF |
| Description | This fuzzer targets objects explicitly declared with additionalProperties: false and injects a large number of unexpected extra properties into them. The goal is to detect Mass-Assignment / over-posting vulnerabilities and schema enforcement gaps, where APIs accidentally accept or persist fields that are not part of the contract. |
| Enabled by default? | Yes |
| Target field types | OpenAPI type object with additionalProperties: false |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Iteratively replaces each eligible object field with a mutated object that: 1. Preserves existing properties from the original payload (copies all keys and their values). 2. Picks a sample value from one of the existing properties (any existing value); if none exists, uses "catsFuzzyValue". 3. Adds up to 100 extra properties named catsExtraProp0 ... catsExtraPropN, each having the same sample value. 4. The number of injected properties is capped by min(100, processingArguments.getLargeStringsSize() / 4) to avoid extreme payload sizes. 5. The mutated object is serialized to JSON and used as the replacement value for the field. |
| Conditions when this fuzzer will be skipped | When the field is not an object OR the schema does not declare additionalProperties: false OR the current payload value is not a valid map/object for the given field path. |
| HTTP methods that will be skipped | HEAD, GET, DELETE |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented and matches response schema. |