Mass-Assigner - A simple tool to detect mass assignment vulnerabilities by modifying JSON fields in HTTP requests

Mass-Assigner - A simple tool to detect mass assignment vulnerabilities by modifying JSON fields in HTTP requests.​

4 months ago at 8:30 AM | Sponsored Post by FaradaySEC | Multi-User Penetration Testing Environment Zion 3R



MassAssigner is a simple tool to detect mass assignment vulnerabilities by modifying the JSON field in the HTTP request-1.png


Mass Assigner is a powerful tool designed to identify and exploit mass assign vulnerabilities in web applications . It first retrieves data from a specified request, such as getting user profile data. It then systematically attempts to apply each parameter extracted from the response to the provided second request, one parameter at a time . This approach allows for automated testing and exploitation of potential mass assign vulnerabilities .


This tool actively modifies server-side data. Please ensure that you have proper authorization before use . Any unauthorized or illegal activity using this tool is entirely at your own risk.

  • Allows adding custom headers to requests
  • Provides customization of various HTTP methods for source and target requests
  • Supports rate limiting to effectively manage request thresholds
  • Provides the option to specify "ignored parameters" that the tool will ignore during execution
  • Improved support for nested arrays/objects in JSON data in responses
  • Support for other content types, such as "application/x-www-form-urlencoded"
Install requirements

pip3 install -r requirements.txt<br>
Run script

python3 mass_assigner.py --fetch-from " <a href=" http://example.com/path-to-fetch-data " rel="nofollow"> http://example.com/path-to-fetch-data </a>" --target-req " <a href=" http://example.com/path-to-probe-the-data " rel="nofollow"> http://example.com/path-to-probe-the-data </a>"<br>
Forbidden Buster accepts the following arguments:

-h, --help show this help message and exit<br> --fetch-from FETCH_FROM<br> URL to fetch data from<br> --target-req TARGET_REQ<br> URL to send modified data to<br> -H HEADER, --header HEADER<br> Add a custom header. Format: 'Key: Value'<br> -p PROXY, --proxy PROXY<br> Use Proxy, Usage ie: <a href=" http://127.0.0.1:8080/ " rel="nofollow"> http://127.0.0.1:8080 </a>.<br> -d DATA, -- data DATA Add data to the request body. JSON is supported with escaping.<br> --rate-limit RATE_LIMIT<br> Number of requests per second<br> --source-method SOURCE_METHOD<br> HTTP method for the initial request. Default is GET.<br> --target-method TARGET_METHOD<br> HTTP method for the modified request. Default is PUT.<br> --ignore-params IGNORE_PARAMS<br> Parameters to ignore during modification, separated by comma.<br>
Usage example:

python3 mass_assigner.py --fetch-from "<a href=" http://example.com/api/v1/me " rel="nofollow"> http://example.com/api/v1/me </a>" --target-req "<a href=" http ://example.com/api/v1/me " rel="nofollow"> http://example.com/api/v1/me </a>" --header "Authorization: Bearer XXX" --proxy " <a href=" http://proxy.example.com/ " rel="nofollow"> http://proxy.example.com </a>" --data '{\"param1\": \"test\", \"param2\":true}'<br><br>

Download Mass-Assigner
 
Click to expand...
You must log in or register to reply here.

Forum statistics

Threads
27
Messages
27
Members
2
Latest member
leshacker

Newest members

Members online

No members online now.
Total: 1 (members: 0, guests: 1)

关于我们

Hacking technical services/penetration testing/reverse cracking /APT virus analysis/custom development programs and other projects

About us   assist   User agreement   Privacy Policy

Business   JoB Team   Telegram   Sitemap
Back
Top