Juicy Shop
Mass Assignment / Privilege Escalation
Vulnerability
The profile update spreads every client-supplied field straight into the persisted record. The client is only meant to change display fields, but because the handler trusts the whole body, an attacker can add sensitive fields the UI never exposes — "role":"admin" or "isAdmin":true — and have them written verbatim. This auto-binding of input to internal state is a design flaw that grants privilege escalation.
Exploit Steps
- Open the profile-update request in an intercepting proxy
- Add an extra JSON field such as "role":"admin" or "isAdmin":true
- Send the modified request to the server
- The field is bound and saved, escalating the attacker to administrator
Tools: Burp Suite, browser devtools, curl
Mitigation & Solution
Never bind the raw request body to your model. Decode against an explicit allow-list schema that contains only the user-editable fields and ignores/rejects everything else. Keep authority fields (role, isAdmin, balance) server-controlled and changeable only through dedicated, authorised flows.
Coding Challenge
Find It
File: apps/juicy-shop/src/security-examples/mass-assignment.ts
Click the line that contains the vulnerability: