Skip to main content

Mass Assignment

The framework auto-maps incoming JSON to model DB fields.

Category: Web · OWASP Top 10 🎯 Trench — The framework auto-maps incoming JSON to model DB fields. If the developer doesn’t declare which fields are fillable, you pass {"role": "admin"} and you escalate privileges. 🔗 Kill chain — Prerequisite: create or update endpoint. Next: vertical escalation (is_admin, role, tenant_id), business validation bypass. 📡 Defensive footprint — Field changes not exposed in the UI form. Hard to detect after the fact without per-column auditing. ⚠️ False friend — Assuming it’s only a Rails issue. Laravel, Django, Spring Boot, Express + Mongoose — all have the same pattern when used incorrectly. 🛡️ Remediation — Explicit field whitelist.

Back to the full glossary Last updated: 2026-06-11