Assigner – Simple Tool Made To Probe For Mass Assignment Vulnerability Through JSON Field Modification In HTTP Requests



Mass Assigner is a powerful tool designed to identify and exploit mass assignment vulnerabilities in web applications. It achieves this by first retrieving data from a specified request, such as fetching user profile data. Then, it systematically attempts to apply each parameter extracted from the response to a second request provided, one parameter at a time. This approach allows for the automated testing and exploitation of potential mass assignment vulnerabilities.

Disclaimer

This tool actively modifies server-side data. Please ensure you have proper authorization before use. Any unauthorized or illegal activity using this tool is entirely at your own risk.

Features

  • Enables the addition of custom headers within requests
  • Offers customization of various HTTP methods for both origin and target requests
  • Supports rate-limiting to manage request thresholds effectively
  • Provides the option to specify “ignored parameters” which the tool will ignore during execution
  • Improved the support in nested arrays/objects inside JSON data in responses

What’s Next

  • Support additional content types, such as “application/x-www-form-urlencoded”

Installation & Usage

Install requirements

pip3 install -r requirements.txt

Run the script

python3 mass_assigner.py --fetch-from "http://example.com/path-to-fetch-data" --target-req "http://example.com/path-to-probe-the-data"

Arguments

Forbidden Buster accepts the following arguments:

  -h, --help            show this help message and exit
--fetch-from FETCH_FROM
URL to fetch data from
--target-req TARGET_REQ
URL to send modified data to
-H HEADER, --header HEADER
Add a custom header. Format: 'Key: Value'
-p PROXY, --proxy PROXY
Use Proxy, Usage i.e: http://127.0.0.1:8080.
-d DATA, --data DATA Add data to the request body. JSON is supported with escaping.
--rate-limit RATE_LIMIT
Number of requests per second
--source-method SOURCE_METHOD
HTTP method for the initial request. Default is GET.
--target-method TARGET_METHOD
HTTP method for the modified request. Default is PUT.
--ignore-params IGNORE_PARAMS
Parameters to ignore during modification, separated by comma.

Example Usage:

python3 mass_assigner.py --fetch-from "http://example.com/api/v1/me" --target-req "http://example.com/api/v1/me" --header "Authorization: Bearer XXX" --proxy "http://proxy.example.com" --data '"param1": "test", "param2":true'









0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *