API01 Mass Assignment / Over-Posting

What this means

SiteShadow flagged code that takes client input (JSON/body/form) and binds it directly to an internal model/object without an explicit allowlist of fields.

Why it matters

Attackers can set fields you did not intend to expose (roles, pricing, flags).

Privilege escalation: set role=admin, isStaff=true, permissions=[...].
Business logic abuse: set price=0, status=paid, creditBalance=9999.
Hidden fields become public as the model evolves over time.

Safer examples

1) Explicit allowlist (recommended)

const allowed = (({ name, email }) => ({ name, email }))(req.body);
await updateUser(req.user.id, allowed);

2) Use DTOs / schemas (validation + stripping unknown fields)

const schema = z.object({ name: z.string().min(1), email: z.string().email() }).strict();
const input = schema.parse(req.body);

3) Separate "admin update" vs "self update"

Give admin-only fields a separate endpoint guarded by role checks.

How SiteShadow detects it (high level)

Looks for request body binding patterns (spread/merge of req.body, "update from params", ORM create(req.body)).
Flags when a model contains sensitive-looking fields and there's no obvious allowlist/sanitization nearby.

References

OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library

Request access View coverage