Most web frameworks make it easy to turn a request body into an object. You send some JSON, the framework copies every field onto a model, and the model gets saved. A mass assignment vulnerability happens when that copy step is too trusting, so a user can set fields the form never showed them, like role, is_admin, or account_id. The result is an access control failure: a normal user edits a field that was meant to be off limits.
What mass assignment is
The bug goes by a few names. Rails calls it mass assignment. Some frameworks call it autobinding or object injection. The shape is always the same. An incoming request body is bound straight onto an object or a database model, and the binder accepts any key that matches a property on that object. The developer is thinking about the two or three fields the form sends. The model has more fields than that, and the binder does not know which ones the user is allowed to touch.
Picture an invented app called Acme Notes. A user can edit their own profile. The profile model looks like this:
# Profile model (server side)
class Profile:
id # set by the server
name # user editable
email # user editable
role # "user" or "admin", set by an admin only
is_admin # boolean, set by the server only
verified # set after email confirmation
account_id # which tenant this profile belongs to
The form on the settings page shows two inputs: name and email. So the developer wires up an endpoint that takes the request body and binds it onto the model in one line.
The normal request versus the attack
Here is the request the form is meant to send. A user updates their display name.
PATCH /api/profile
Content-Type: application/json
Cookie: session=...
{"name": "Dana Lee"}
The server binds name onto the model and saves. Nothing surprising. Now the attacker opens the developer tools, sees the request, and adds a field the form never offered.
PATCH /api/profile
Content-Type: application/json
Cookie: session=...
{"name": "Dana Lee", "role": "admin"}
If the endpoint binds the whole body onto the model, role gets written along with name. The user just promoted their own account. The same trick works with {"is_admin": true}, with {"verified": true} to skip email confirmation, or with {"account_id": 7} to move their profile into another tenant. The attacker does not need to guess a hidden URL or break the session. They send one extra key on an endpoint they are already allowed to call.
The form decides what a user sees. The model decides what a user can change. When those two lists drift apart, the gap is the vulnerability.
Why a mass assignment vulnerability is really broken access control
It is tempting to file this under input validation, but that misses the point. The data is valid. role: "admin" is a real value the field accepts. The problem is authorization: this user is not allowed to set that field, and the server never checked. That is why a mass assignment vulnerability sits inside the broader family of broken access control bugs.
The OWASP API Security project names this directly. It calls the pattern Broken Object Property Level Authorization, which merges the older idea of mass assignment with excessive data exposure. The rule it states is simple: authorize access to each property of an object, not just the object as a whole. Being allowed to edit your profile does not mean you are allowed to edit every field on your profile.
This is close kin to broken object level authorization, also known as IDOR. IDOR is about reaching an object you should not reach. Mass assignment is about changing a property on an object you can reach but should not control. Both come down to a missing check, and both are worth studying together in the wider access control category.
How to spot it
You find a mass assignment vulnerability by comparing two lists: the fields the form shows, and the fields the model accepts.
- Read the form, then read the model. List the inputs the user interface sends. Then look at the database model or the binding target behind the endpoint. Every field on the model that is not on the form is a candidate.
role,is_admin,verified,balance, andaccount_idare the usual suspects. - Send extra guessed fields and watch the response. Against an app you own, add a likely field to the body and submit it. Then read the object back. If the value stuck, the binder accepted a field it should have ignored. A response that echoes the new
roleoris_adminis a confirmed finding. - Watch the quiet cases. Sometimes the response does not show the field, but the change still happened. Promote yourself with
is_admin, then load a page that only admins can see. If it loads, the write went through even though the response gave nothing away. - Audit the binding call. Search the code for the line that turns the request body into a model. If it copies the whole body with no allowlist, that is the bug in source form.
How to prevent a mass assignment vulnerability
- Use an explicit allowlist of bindable fields. Name the exact fields the endpoint is allowed to write, and bind only those.
nameandemailon the profile endpoint, nothing else. An allowlist fails closed: a new sensitive field added later is ignored until someone chooses to include it. - Separate input DTOs from database models. Bind the request to a small input object that holds only user editable fields, validate it, then copy the approved values onto the model by hand. The request never touches the model directly, so it can never reach
roleoris_admin. - Never bind the request straight to the model. The one line shortcut that copies the body onto the saved object is the root of this bug. Treat it as a code smell on any endpoint that handles a model with sensitive fields.
- Mark sensitive fields read only or protected. Many frameworks let you tag fields as not mass assignable, or keep a denylist of protected attributes. Use it as a backstop, but prefer the allowlist, since a denylist forgets the field you add next year.
- Authorize the property, not just the action. Setting
roleshould run through the same permission check an admin screen would use. If the current user cannot promote others through the admin interface, they cannot do it through a stray JSON key either.
These habits also block the related access control vulnerability patterns, since the fix is the same idea every time: decide what a given user is allowed to do, and check it on the server before the write lands.
Why this rewards understanding the app
You do not find mass assignment by replaying a fixed payload. You find it by understanding what the form is supposed to do, then asking what the model behind it can actually accept. The bug is an assumption the code makes, that the request body only ever contains the fields the form sent, and the way to find it is to test that assumption with one extra key.
That is the kind of bug an autonomous researcher that tests an app’s assumptions is built to surface. It learns how an endpoint is meant to work, guesses where the binding is too wide, sends the extra field, and confirms the write before reporting anything. You can read more about that approach on our about page.
Frequently asked questions
What is a mass assignment vulnerability?
It is a bug where a framework binds an incoming request body straight onto an object or database model, accepting any key that matches a field on that model. A user can then set fields the form never showed, such as role, is_admin, or account_id. Sending {"name":"Dana","role":"admin"} to a profile endpoint that only meant to take a name can promote the user’s own account. It is also called autobinding or object injection.
Why is mass assignment an access control problem and not just input validation?
The submitted data is valid. A value like role: "admin" is something the field genuinely accepts, so validation passes. The real failure is authorization: this user was never allowed to set that field, and the server did not check. The OWASP API Security project files this under Broken Object Property Level Authorization, which says you must authorize access to each property of an object, not just the object as a whole.
How do you detect a mass assignment vulnerability?
Compare the fields the form shows against the fields the model accepts. Any model field missing from the form is a candidate, especially role, is_admin, verified, balance, and account_id. Against an app you own, add a guessed field to the request body and read the object back to see if the value stuck. Watch the quiet case too: the response may hide the field while the write still happened, so confirm by loading a page that only the elevated state can reach.
How do you prevent a mass assignment vulnerability?
Use an explicit allowlist of bindable fields and bind only those, so any new sensitive field is ignored until someone opts it in. Separate input DTOs from database models, validate the DTO, then copy approved values onto the model by hand so the request never touches the model directly. Never bind the request straight to the model, mark sensitive fields read only or protected as a backstop, and run any change to a field like role through the same permission check an admin screen would use.