Home
>
Resources
>
Blogs
>
crAPI: Mass Assignment
API Inventory
|

August 25, 2025

crAPI: Mass Assignment

Learn when to use DAST vs SAST for API security in 2026, their limitations, best practices, and how to secure modern APIs effectively.

Photo of the author of the blog post

ON THIS PAGE

10238 views

2. Click on “Past Orders” and capture the request using the ZAP proxy tool.

3. The server response shows that the endpoint supports the PUT method.

4. We discovered that we could modify the orders by using the PUT method. Take note of the “status” parameter of the server response.

5. Now fuzz the parameter’s value. Note the server response for all possible “status” parameter values.

6. We found that changing the status to “returned” would refund the order money without returning the product to the store.

7. Take note that the balance has been increased from $100 to $110.

Remediation:

1. Avoid automated mapping of request parameters to internal objects, and ignore any additional objects in the request.

2. Create an allow-list of parameters that should be allowed.

3. Use the OWASP cheatsheet for Mass Assignment.

In Levo, we are focusing on automating Mass Assignment vulnerabilities. Sign up for free and give it a try.

In our next blog post, we will learn about NoSQL Injection issues in crAPI. Stay Tuned.

Best Regards,

Amit

Summarize with AI

explore More

More from our blogs you shouldn’t miss

API Inventory

What is gRPC API

Jeevan Kumar
December 10, 2025

API Inventory

WAAP vs WAF: Key Differences, Use Cases & How to Choose the Right Protection

Sohit Suresh Gore
December 10, 2025
What is API Discovery

API Inventory

What is API Discovery: Examples, Tools and Best Practices

Jeevan Kumar
December 10, 2025
DPDP India 2025 Handbook

API Inventory

The DPDP India 2025 Handbook - The Complete Guide to India’s New Data Protection Era

Levo API Security Research Panel
December 5, 2025

We didn’t join the API Security Bandwagon. We pioneered it!

Book a Demo
View Pricing