[{"data":1,"prerenderedAt":177},["ShallowReactive",2],{"blog-vulnerabilities/mass-assignment":3},{"id":4,"title":5,"body":6,"category":157,"date":158,"dateModified":158,"description":159,"draft":160,"extension":161,"faq":162,"featured":160,"headerVariant":163,"image":162,"keywords":162,"meta":164,"navigation":165,"ogDescription":166,"ogTitle":162,"path":167,"readTime":168,"schemaOrg":169,"schemaType":170,"seo":171,"sitemap":172,"stem":173,"tags":174,"twitterCard":175,"__hash__":176},"blog/blog/vulnerabilities/mass-assignment.md","Mass Assignment Explained",{"type":7,"value":8,"toc":148},"minimark",[9,16,21,36,41,88,92,101,117,136],[10,11,12],"tldr",{},[13,14,15],"p",{},"Mass assignment happens when you pass user input directly to database operations without filtering. Attackers add extra fields like \"isAdmin: true\" to their request and your code saves it. Always explicitly pick which fields to accept from user input, never spread the entire request body.",[17,18,20],"h2",{"id":19},"how-mass-assignment-works","How Mass Assignment Works",[22,23,25],"code-block",{"label":24},"Vulnerable: spreading request body",[26,27,32],"pre",{"className":28,"code":30,"language":31},[29],"language-text","// User registration endpoint\napp.post('/api/register', async (req, res) => {\n  // VULNERABLE: saves whatever user sends\n  const user = await User.create(req.body);\n  res.json(user);\n});\n\n// Normal request:\n// { \"email\": \"user@example.com\", \"password\": \"secret\" }\n\n// Attack request:\n// { \"email\": \"user@example.com\", \"password\": \"secret\", \"role\": \"admin\" }\n","text",[33,34,30],"code",{"__ignoreMap":35},"",[37,38,40],"h3",{"id":39},"common-dangerous-fields","Common Dangerous Fields",[42,43,44,57,65,73,79],"ul",{},[45,46,47,50,51,50,54],"li",{},[33,48,49],{},"role",", ",[33,52,53],{},"isAdmin",[33,55,56],{},"permissions",[45,58,59,50,62],{},[33,60,61],{},"verified",[33,63,64],{},"emailVerified",[45,66,67,50,70],{},[33,68,69],{},"balance",[33,71,72],{},"credits",[45,74,75,78],{},[33,76,77],{},"password"," (when updating profile)",[45,80,81,50,84,87],{},[33,82,83],{},"id",[33,85,86],{},"userId"," (changing ownership)",[17,89,91],{"id":90},"how-to-prevent-it","How to Prevent It",[22,93,95],{"label":94},"Safe: explicit field picking",[26,96,99],{"className":97,"code":98,"language":31},[29],"app.post('/api/register', async (req, res) => {\n  // Only pick allowed fields\n  const { email, password, name } = req.body;\n\n  const user = await User.create({\n    email,\n    password,\n    name,\n    role: 'user',  // Always set defaults server-side\n    verified: false\n  });\n\n  res.json(user);\n});\n\n// Or use a validation library\nimport { z } from 'zod';\n\nconst registerSchema = z.object({\n  email: z.string().email(),\n  password: z.string().min(8),\n  name: z.string()\n}).strict();  // Reject extra fields\n\napp.post('/api/register', async (req, res) => {\n  const data = registerSchema.parse(req.body);\n  const user = await User.create(data);\n});\n",[33,100,98],{"__ignoreMap":35},[102,103,104,111],"faq-section",{},[105,106,108],"faq-item",{"question":107},"Isn't this just bad input validation?",[13,109,110],{},"Yes, mass assignment is a specific type of input validation failure. It is common enough to have its own name because ORMs and frameworks make it easy to accidentally allow it.",[105,112,114],{"question":113},"Does TypeScript prevent this?",[13,115,116],{},"No. TypeScript types are compile-time only. At runtime, req.body can contain anything. You need runtime validation with libraries like Zod, Yup, or Joi.",[118,119,120,126,131],"related-articles",{},[121,122],"related-card",{"description":123,"href":124,"title":125},"Related authorization issue","/blog/vulnerabilities/idor","IDOR",[121,127],{"description":128,"href":129,"title":130},"Authorization overview","/blog/vulnerabilities/broken-access-control","Broken Access Control",[121,132],{"description":133,"href":134,"title":135},"Validation techniques","/blog/how-to/validate-user-input","Input Validation",[137,138,141,145],"cta-box",{"href":139,"label":140},"/","Start Free Scan",[17,142,144],{"id":143},"scan-for-mass-assignment","Scan for Mass Assignment",[13,146,147],{},"Our scanner detects endpoints vulnerable to mass assignment.",{"title":35,"searchDepth":149,"depth":149,"links":150},2,[151,155,156],{"id":19,"depth":149,"text":20,"children":152},[153],{"id":39,"depth":154,"text":40},3,{"id":90,"depth":149,"text":91},{"id":143,"depth":149,"text":144},"vulnerabilities","2026-01-22","Mass assignment lets attackers modify fields they should not have access to by adding extra properties to requests. Learn how to whitelist allowed fields.",false,"md",null,"red",{"noindex":165},true,"Learn how mass assignment vulnerabilities work and how to prevent them.","/blog/vulnerabilities/mass-assignment","5 min read","[object Object]","TechArticle",{"title":5,"description":159},{"loc":167},"blog/vulnerabilities/mass-assignment",[],"summary_large_image","ul8wgT8FPkcRhBlHZgnfGgOv_gkBobboDNmtXTChdx0",1775843926410]