Let’s build an API to hack — Part 4: OWASP API top 10 — Mass assignment

Introduction

For the issue type “Mass assignment” the UI display only the following fields in your account settings:

• Name + lastname
• Username
• Adress

Mass assignments is when objects have certain properties to them, like “userType” that are bound to the user object but not used in the UI persé or even in the API request. The user might have to guess it but i wanted to teach with this assignment so guessing is kept to a minimum.

Requirements

• A potato … Seriously though, a small VPS or spare computer with the minimal amount of RAM and disk space will do. The APIs we will be building do not require much.
• Python 3.x (https://www.python.org/downloads/)
• Flask (pip install Flask but hold off if you did not do it yet, we will be creating a python virtual env)

Let’s set up

To start with, we will need to set up a virtual environment first. This is a place we can install our dependencies of a certain project on and keep them seperate from the other projects. This is very useful to keep oversight but also if you have one project that requires a certain version of an import while another project might need a much older and non-compatible version of that library.

mkdir "GoudAPI-infodisclosure"
cd…