I've been working on the "API - Mass Assignment" challenge on Root-Me (https://www.root-me.org/en/Challenges/Web-Server/API-Mass-Assignment) and have hit a roadblock despite extensive efforts to solve it. I'm hoping to get some guidance or insights that might help me overcome this challenge.
What I'm Trying to Achieve:
The challenge is about exploiting a mass assignment vulnerability in an API. The goal is to manipulate the API request in a way that allows unauthorized access or modification of data. I understand the concept of mass assignment vulnerabilities, where an attacker can exploit the way an application assigns user input to object properties, potentially modifying attributes that were not intended to be exposed.
What I've Done So Far:
- I watched the recommended YouTube video (https://www.youtube.com/watch?v=RiKikKIibpk) [it's in French] provided in the challenge description, which explains the basics of mass assignment vulnerabilities and demonstrates an example exploit.
- I've read through multiple online resources and tutorials on mass assignment vulnerabilities to understand the common ways to exploit such weaknesses.
- I attempted to modify the JSON payload in the API request, trying to add or change properties that I suspected might be vulnerable to mass assignment.
- I've also tried using tools like Burp Suite to intercept and modify requests to see if I could bypass any restrictions or manipulate the data being sent.
Where I'm Stuck:
Despite my efforts, I seem to be missing something crucial. Either my understanding of how to exploit this vulnerability in this specific challenge is flawed, or I'm not correctly identifying the vulnerable parameters. Here's what I'm struggling with:
- Identifying the exact parameters or objects that are susceptible to mass assignment in this challenge.
- Constructing the correct payload that would exploit the vulnerability.
- Understanding if there's a specific technique or tool that I should be using to identify or exploit the vulnerability more effectively.
My Question:
Could anyone provide insights or hints on how to approach this challenge