FIA Driver Categorisation Admin Takeover via Mass Assignment...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://ian.sh/fia
• Blog Title: FIA Driver Categorisation: Admin Takeover via Mass Assignment of roles (Full PoC)
• Suggested Section: Pentesting Web / API Security -> Mass Assignment (CWE-915) / Broken Access Control

🎯 Content Summary

Context. The FIA Driver Categorisation portal lets competitors self-register and request Bronze/Silver/Gold/Platinum status at drivercategorisation.fia.com. While testing the profile update flow, the researchers found a classic mass assignment / broken access control that let any authenticated user assign themselves the ADMIN role via the profile update API hosted at driverscategorisation.fia.com. This is a vertical privilege escalation ...

🔧 Technical Details

Mass assignment role escalation. If a user-profile update endpoint reflects privileged fields (e.g., roles) and does not enforce server-side allow‑listing, include a crafted roles array in the same PUT/PATCH to your own user resource to escalate privileges (e.g., set name to ADMIN and a valid id/description). Expect success if the response echoes the updated role; then reauthenticate to obtain an admin-context session.

Schema discovery from client bundles. Inspect bundled JavaScript to enumerate valid role names/IDs and payload shapes. Use these to build syntactically valid JSON that passes server deserialization and persistence checks.

Session refresh to realize new privileges. After mutating role-bearing attributes, perform a logout/login (or token refresh) so the app re-issues tokens/claims and renders admin-only UI and endpoints.<...

🤖 Agent Actions

I analyzed the blog and repository, searched for existing coverage, and updated HackTricks with a dedicated Mass Assignment page plus relevant cross-links.

Summary of analysis

• The repo had no dedicated Mass Assignment (CWE-915) page. The only mention of “mass assignment” was a brief XSS-related RoR quirk on the XSS page, not about API privilege escalation.
• IDOR (Broken Object Level Authorization) is covered, but Mass Assignment is a distinct class of Broken Access Control abuse requiring explicit coverage (fields allow-listing, DTO binding, role-change authorization).
• “JSON, XML & YAML Hacking & Issues” already covers Go (un)marshaling pitfalls and parser differentials and is tightly related, so I linked from there to the new page.
• I read at least 5 relevant files: idor.md, registration-vulnerabilities.md, json-xml-yaml-hacking.md, web-vulnerabilities-methodology.md, xss-cross-site-scripting/README.md.

What I added

1. New page: src/pentesting-web/mass-assignment-cwe-915.md

• Title: Mass Assignment (CWE-915) – Privilege Escalation via Unsafe Model Binding
• Content:
  • Overview, mapping to OWASP A01 and CWE-915
  • Methodology to identify: profile/self-service PUT/PATCH endpoints, schema reflection in responses, indicators from client bundles
  • Exploitation: include crafted roles/isAdmin fields in the update, then reauth/refresh tokens to realize privileges
  • Recon: enumerate role IDs/names from client JS bundles
  • Framework pitfalls and secure patterns with concise code examples:
    • Express + Mongoose vulnerable pattern and fix (allow-list + split admin-only role update)
    • Ruby on Rails strong_parameters usage
    • Laravel $fillable/$guarded
    • Spring Boot (DTOs, @JsonIgnore, unknown-property rejection)
    • Go (json:"-", DisallowUnknownFields)
  • Offense checklist and defense mitigations (server-side RBAC, DTOs, split endpoints, monitoring for role status changes)
  • References including the blog URL, OWASP BAC, CWE-915
• Banners and References section included per guidelines.

2. Linked the new page in related files

• Added to checklist:
  • src/pentesting-web/web-vulnerabilities-methodology.md under “Other Helpful Vulnerabilities”
• Added cross-reference from JSON/Parser page:
  • src/pentesting-web/json-xml-yaml-hacking.md: Inserted a “See also” block with a {{#ref}} link to the new Mass Assignment page (these topics are tightly related).

Files changed

• Created: src/pentesting-web/mass-assignment-cwe-915.md
• Modified: src/pentesting-web/web-vulnerabilities-methodology.md (added new bullet under “Other Helpful Vulnerabilities”)
• Modified: src/pentesting-web/json-xml-yaml-hacking.md (inserted “See also” reference before References)

Notes

• I did not alter IDOR content since this is a distinct exploitation pattern (though also Broken Access Control).
• The new page includes the FIA blog reference and generic examples to ensure applicability across targets and frameworks.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://ian.sh/fia

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / API Security -> Mass Assignment (CWE-915) / Broken Access Control".

Repository Maintenance:

• MD Files Formatting: 902 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge