Mass Assignment
The framework auto-maps incoming JSON to model DB fields.
Category: Web · OWASP Top 10 🎯 Trench — The framework auto-maps incoming JSON to model DB fields. If the developer doesn’t declare which fields are fillable, you pass{"role": "admin"} and you escalate
privileges.
🔗 Kill chain — Prerequisite: create or update endpoint.
Next: vertical escalation (is_admin, role, tenant_id),
business validation bypass.
📡 Defensive footprint — Field changes not exposed in the UI
form. Hard to detect after the fact without per-column auditing.
⚠️ False friend — Assuming it’s only a Rails issue. Laravel,
Django, Spring Boot, Express + Mongoose — all have the same
pattern when used incorrectly.
🛡️ Remediation — Explicit field whitelist.
← Back to the full glossary Last updated: 2026-06-11