Safeguard
Tag

mass-assignment

Safeguard articles tagged "mass-assignment" — guides, analysis, and best practices for software supply chain and application security.

10 articles

Application Security

Preventing mass assignment in Spring MVC and Spring Boot

CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.

Jul 14, 20266 min read
Application Security

Mass assignment in Node, Express, and Mongoose apps

One unfiltered req.body.role field can turn a signup form into an admin-creation endpoint — here's how mass assignment happens in Node and how to stop it.

Jul 14, 20266 min read
Application Security

Mass assignment in Python: how setattr and **kwargs turn request bodies into privilege escalation

One unguarded setattr() loop can let a JSON body set is_admin directly — the same bug class that let a researcher add his key to Rails' GitHub org in 2012.

Jul 14, 20266 min read
Application Security

Java DTOs for secure data handling

A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.

Jul 12, 20266 min read
Security Guides

Laravel Security Best Practices: Mass Assignment, Blade, and Debug Mode

Laravel's defaults are solid, but $guarded misuse, {!! !!} in Blade, and APP_DEBUG=true in production have all led to real compromises. Here's the fix.

Jul 4, 20265 min read
Security Guides

Rails Security Best Practices: Strong Parameters, SQL, and Gems

Rails ships secure defaults, but mass assignment, string-interpolated SQL, and unvetted gems still cause real breaches. Here is how to hold the line.

Jul 3, 20265 min read
Vulnerability Guides

Mass Assignment Vulnerability: How to Prevent It

Mass assignment lets attackers set fields you never meant to expose — like isAdmin or accountBalance — by adding them to a request body. Here is the fix.

Jul 2, 20265 min read
Industry Analysis

Rails mass assignment vulnerabilities and the strong para...

How a 2012 GitHub hack exposed Rails' mass assignment flaw, why attr_accessible failed, and how strong parameters became the lasting fix.

Jan 27, 20267 min read
Vulnerability Analysis

Mass assignment vulnerabilities explained

Mass assignment lets attackers write privileged fields like "role":"admin" via ordinary API calls. Learn how it works, real CVEs, and fixes.

Dec 5, 20257 min read
Industry Analysis

Broken Object Property Level Authorization (BOPLA)

BOPLA (OWASP API3:2023) lets APIs correctly check object access while leaking or accepting the wrong fields. Real breaches show why it's so hard to catch.

Nov 7, 20257 min read
mass-assignment — Safeguard Blog