The Risk
Many frameworks make it easy to bind an incoming request body directly onto an internal object. This is convenient, but if the object has sensitive fields such as a role, an account balance, or a verified flag, an attacker can include those fields in the request. The framework sets them along with the expected ones. This is mass assignment, and it can grant privileges or alter protected state.
The danger is trusting the shape of the request to match the fields a user is allowed to change.
The Defense
- Use an allowlist of fields that may be bound, and ignore everything else.
- Bind requests to a narrow input model that contains only user editable fields, then map to the internal object explicitly.
- Never expose sensitive fields to automatic binding.
- Set protected fields such as roles only through dedicated server side logic.
Key idea
Bind requests through an explicit allowlist or input model so attackers cannot smuggle sensitive fields into objects you never meant to expose.