Mass Assignment API: Blind JSON Binding

Goal: Use JSON fields to modify internal model properties that the API should never accept from a client.

Hints

This endpoint decodes JSON and copies every property into the account object.
The UI only suggests username, but the parser will accept anything in the payload.
Look for state keys that sound internal rather than user-editable.

Why this works

Framework auto-binding often turns request bodies straight into server models. Without explicit field filtering, attackers can assign privileged properties through JSON.

Back to Mass Assignment

Current Account JSON

{
    "username": "api-user",
    "role": "user",
    "credits": 10,
    "debug": false,
    "labAccess": false
}

Mass Assignment API: Blind JSON Binding

Current Account JSON

PATCH /api/account