Juicy Shop

Mass Assignment / Privilege Escalation

DesignA04:2021 – Insecure Designhigh

Vulnerability

The profile update spreads every client-supplied field straight into the persisted record. The client is only meant to change display fields, but because the handler trusts the whole body, an attacker can add sensitive fields the UI never exposes — "role":"admin" or "isAdmin":true — and have them written verbatim. This auto-binding of input to internal state is a design flaw that grants privilege escalation.

Exploit Steps

  1. Open the profile-update request in an intercepting proxy
  2. Add an extra JSON field such as "role":"admin" or "isAdmin":true
  3. Send the modified request to the server
  4. The field is bound and saved, escalating the attacker to administrator

Tools: Burp Suite, browser devtools, curl

Mitigation & Solution

Never bind the raw request body to your model. Decode against an explicit allow-list schema that contains only the user-editable fields and ignores/rejects everything else. Keep authority fields (role, isAdmin, balance) server-controlled and changeable only through dedicated, authorised flows.

Coding Challenge

Find It

File: apps/juicy-shop/src/security-examples/mass-assignment.ts

Click the line that contains the vulnerability:

Fix It