mass-assignment
Safeguard articles tagged "mass-assignment" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Preventing mass assignment in Spring MVC and Spring Boot
CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.
Mass assignment in Node, Express, and Mongoose apps
One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.
Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation
One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.
Java DTOs for secure data handling
A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.
Laravel Security Best Practices: Mass Assignment, Blade, and Debug Mode
Laravel's defaults are solid, but $guarded misuse, {!! !!} in Blade, and APP_DEBUG=true in production have all led to real compromises. Here's the fix.
Rails Security Best Practices: Strong Parameters, SQL, and Gems
Rails ships secure defaults, but mass assignment, string-interpolated SQL, and unvetted gems still cause real breaches. Here is how to hold the line.
Mass Assignment Vulnerability: How to Prevent It
Mass assignment lets attackers set fields you never meant to expose — like isAdmin or accountBalance — by adding them to a request body. Here is the fix.
Rails mass assignment vulnerabilities and the strong para...
How a 2012 GitHub hack exposed Rails' mass assignment flaw, why attr_accessible failed, and how strong parameters became the lasting fix.
Mass assignment vulnerabilities explained
Mass assignment lets attackers write privileged fields like "role":"admin" via ordinary API calls. Learn how it works, real CVEs, and fixes.
Broken Object Property Level Authorization (BOPLA)
BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.