Mass Assignment Hard: Nested Properties

Goal: Overwrite nested permission or wallet properties that should never be client-controlled.

Hints

The server loops through nested arrays and writes them directly into the state object.
Bracket notation matters here.
The visible form only edits profile fields, but the server trusts any nested object keys it receives.

Why this works

Nested object merging is a common mass-assignment source. Once the server recursively trusts client keys, permission or billing objects become attacker-controlled.

Back to Mass Assignment

Stored Account Object

Display Name: RatUser

Email: rat@hackxpert.com

Can Refund: 0

Can Export: 0

Wallet Credit: 5

Mass Assignment Hard: Nested Properties

Stored Account Object

Edit Public Profile