Mining REST APIs for Potential Mass Assignment Vulnerabilities
Arash Mazidi, Davide Corradini, Mohammad Ghafari
TL;DR
Mass assignment vulnerabilities in REST APIs arise when auto-binding maps input data to internal data representations without excluding read-only attributes. LightMass is a specification-based tool that mines OpenAPI specs to identify candidate endpoints and attributes by comparing GET response attributes with POST/PUT/PATCH request attributes, using Porter stemming and a Jaccard-like similarity measure. In a preliminary study of 100 APIs, LightMass flagged 25 potentially vulnerable APIs (115 endpoints, 133 operations, 495 attributes), with nine confirmed vulnerable operations across six APIs, though some false positives occurred. The approach enables early security signaling without running the API and complements automated testing pipelines (e.g., enabling Akto to perform fully automated mass assignment testing).
Abstract
REST APIs have a pivotal role in accessing protected resources. Despite the availability of security testing tools, mass assignment vulnerabilities are common in REST APIs, leading to unauthorized manipulation of sensitive data. We propose a lightweight approach to mine the REST API specifications and identify operations and attributes that are prone to mass assignment. We conducted a preliminary study on 100 APIs and found 25 prone to this vulnerability. We confirmed nine real vulnerable operations in six APIs.