HACKR.GG
hackr.gg — ProfileHub — Mass Assignment Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

ProfileHub — Mass Assignment

Mass Assignment · Mass Assignment
Difficulty
Beginner
Vuln class
Mass Assignment
Steps
3
// Objective
Escalate your account to admin by including a role field in the registration or profile update request.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Register normally and inspect the request
Create an account via the registration form. Intercept the POST request — note the fields: username, email, password.
2
Add the role field
Resend the registration request with an extra "role":"admin" parameter. If the server binds all request parameters directly to the model without filtering, the role gets set.
Command / Input
POST /api/register {"username":"attacker","email":"a@b.com","password":"pass","role":"admin"}
Output
{"message":"Account created","role":"admin"}
The server should use a whitelist of allowed fields — only binding username, email, and password.
3
Access the admin panel
Log in with your new account. Navigate to /admin — your role is admin.
Command / Input
GET /admin/flag
Output
HackrGG{m4ss_4ss1gnm3nt_r0l3_3sc4l4t10n}
// Flag
Flag value
HackrGG{m4ss_4ss1gnm3nt_r0l3_3sc4l4t10n}
In the admin panel, accessible after role escalation via mass assignment.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute