Hi Guys, My name is m7arm4n and today I wanna talk about one of my findings on a private program that was vulnerable to Mass Assignment leads to make victim’s accounts inaccessible. I discovered many Mass Assignment in different programs and functions but this one is my favorite and the first one.

Mass Assignment Vulnerability is a type of security weakness that can occur in web applications. Whereas the web application allows the user to change the object multiple times with a single request, without properly filtering or validating the input.

This vulnerability occurs because developers often use a feature in some web frameworks to automatically map incoming data to object properties. Attackers can exploit this feature by submitting specially crafted input that includes additional properties or modifying existing ones that were not intended to be modified. This may allow access to or modification of sensitive data including user account information, payment information, or other sensitive information.

For example, suppose a web application allows a user to update profile information, including name, email address, and password. If the developer does not prepare or validate the input properly, the attacker can send a request that includes additional parameters such as “isAdmin=true”, giving them administrative access to the application.

I skipped subdomain enumeration. when I reach the website registered as a normal user and after a few minutes, I understood the website had two endpoints to update the user’s data. One of them was for an email address which required a password to update it, Other one was only for first name and last name which does not require a password to update it.

I tried to update the email to an existing email but unfortunately, I got an error.

I thought a little differently and opened the Edit part to update the first name and last name and captured the update request in my Burp.

I was looking for an interesting parameter to exploit, but the response was a redirection page that did not expose any hidden parameters in the response. I tried to add some interest parameters such as isAdmin, etc.

I added an Email parameter to the body and set a new email, Surprisingly my email updated to the new email.

But the impact of this vulnerability till now is information/P5 and we should escalate this to something impactful. And I set up an existing victim’s email then forward it. Bingo I got success 😍🤯

My email address was updated to a victim’s email address, now let’s take check the victim’s account. On the victim side, I tried to log in with valid credentials but I got the error, tried to forget password? Nope, I got the same error.

What Happened

We set the same email for 2 accounts. and when functions ask the database for email, the database does not return anything or returns two accounts which mean functions do not work correctly. Now, The victim's account is inaccessible forever :D