00 — Overview

Mass Assignment — Fields the App Never Meant to Expose

Add extra fields to a registration or update request that the frontend never sends. If the server blindly maps your JSON to its database object — you just made yourself admin.

Beginner·35 min·5 tasks

// By the end of this module

→Apply mass assignment techniques with a proxy against a live API

→Discover hidden fields by diffing responses with and without extra params

→Escalate account privileges in a real target application

// Prerequisites

API Security · Intermediate

Mass Assignment

35 min

→

Tools · Beginner

Burp Suite — The Hacker's Proxy

60 min

→