EncryptCodecencryptcodec
Simulations/Mass Assignment

Mass Assignment

Beginner

This profile update API accepts the raw request body and applies it directly to the database. Exploit mass assignment to escalate your privileges, then learn how to fix it with allowlists.

Progress:
1
Escalate Privileges
2
Apply the Fix
PUT/api/users/42
Database Record — users[42]
id42
nameJohn Doe
emailjohn@example.com
roleuser
verifiedfalse
Server Code
// No filtering — vulnerable
db.update(userId, req.body);

Challenges

1
Escalate Privileges
The API only expects {name, email} but blindly applies all fields. Add "role": "admin" to become admin.
hints
2
Apply the Fix
Enable the allowlist and verify that mass assignment is prevented.
hints
How to fix mass assignment
Use DTOs and allowlists to control which fields can be updated

Frequently Asked Questions