Day 17 — I Built a Vulnerable API to Demonstrate a Mass Assignment Attack

Some vulnerabilities don’t need sophisticated exploits. Sometimes all it takes is a backend that trusts user input a little too much. Today I built a small Flask API to demonstrate a subtle but dangerous issue called Mass Assignment. The Idea Modern frameworks make development fast by automatically mapping user input into database objects. For example, when updating a user profile, developers often accept JSON data and apply it directly to the user record. Something like this: user . update ( request . json ) Convenient. But also dangerous. If the application blindly accepts every field sent by the client, an attacker can modify hidden or sensitive fields that were never meant to be user-controlled. This is where Mass Assignment vulnerabilities appear. Here's a simple diagram illustrating how a mass assignment attack flows—from the client's malicious POST request straight to unintended database updates: The Lab I Built To demonstrate the issue, I created a small Flask API with: User lo