Mass Assignment Fuzzer
| Item | Description |
|---|---|
| Full Fuzzer Name | MassAssignmentFuzzer |
| Log Key | MA |
| Description | This fuzzer tests for Mass Assignment (aka auto-binding / over-posting) vulnerabilities by adding extra (undeclared) fields to the request payload that are not defined in the OpenAPI schema. It uses a curated list of common sensitive fields (e.g. role, isAdmin, permissions, balance, ownerId, tenantId, etc.) and verifies whether the API rejects them, accepts them silently, or even reflects them back—indicating dangerous object binding behavior. |
| Enabled by default? | Yes |
| Target field types | JSON request bodies (object payloads) containing at least one field; injects additional top-level fields not present in schema/payload |
| Expected result when fuzzed field is required | 4XX |
| Expected result when fuzzed field is optional | 4XX |
| Expected result when fuzzed value is not matching field pattern | 4XX |
| Fuzzing logic | Adds undeclared sensitive fields to the JSON payload, one at a time: 1. Skips execution if the payload is empty. 2. Collects all known request fields from the OpenAPI schema ( getAllFieldsByHttpMethod()). 3. Iterates through a curated map of sensitive field names and attack values (privilege/status/financial/ownership/internal flags). 4. For each sensitive field that is not present in the schema and not already present in the payload, injects it at the root ( $) of the JSON using replaceNewElement. 5. Sends the request expecting a 4XX rejection. 6. Analyzes the response for acceptance and reflection of the injected field/value to detect vulnerabilities. |
| Conditions when this fuzzer will be skipped | When the request payload is empty, OR when all sensitive fields already exist in the schema/payload (nothing left to inject/test). |
| HTTP methods that will be skipped | GET, DELETE, HEAD, TRACE |
| Reporting | Reports info if: 1. The API rejects the request with 4XX (payload with undeclared field properly rejected). Reports error if: 1. The API accepts the request with 2XX and the injected field/value is reflected in the response (strong indicator of mass assignment). 2. The API accepts the request with 2XX even without reflection (undeclared fields should be rejected). 3. The API returns 5XX while processing the undeclared field (improper handling). 4. Any other unexpected response code is returned. |