Mass Assignment Easy: Hidden Role Field

Goal: Make your profile become admin even though the UI only looks like a username update form.

Hints
  • Every POST field is copied into the server-side profile object.
  • The UI hides one field, but the server still trusts it if it arrives.
  • This is the classic object property assignment pattern.
Why this works

Mass assignment happens when the server blindly maps client-supplied fields onto an internal object. Hidden inputs are still attacker-controlled.

Back to Mass Assignment

Current Profile State

Username: User

Account Type: user

Bio: I love cheese labs.

Edit Profile