Mass assignment / auto-binding can inadvertently create hidden parameters. It occurs when software frameworks automatically bind request parameters to fields on an internal object. Mass assignment may therefore result in the application supporting parameters that were never intended to be processed by the developer.
- API testing (PortSwigger)
💡 See lab WebSecurityAcademy (PortSwigger) – API testing.
Testing
Example: Try to change your personal information but add extra parameters to the request such as “role” or “isAdmin”.