Mass Assignment, listed as API6:2019 in the OWASP API Security Top 10, occurs when APIs automatically bind client-supplied input to internal data models without properly filtering or restricting which fields can be modified. This allows attackers to guess or discover sensitive fields—like roles, permissions, or account status—and include them in API requests to manipulate protected data. It typically arises when developers expose entire objects for updates without defining which properties are safe to change. To prevent mass assignment, use allowlists to specify modifiable fields and avoid binding client input directly to complex internal objects.
