A practical walkthrough of how hidden JSON fields can expose privilege flaws in modern signup APIs
Press enter or click to view image in full size
Introduction
Mass-assignment weaknesses show up frequently in modern APIs, especially in signup endpoints that accept JSON. When the backend automatically maps request fields to internal models without filtering them, attackers can slip in additional parameters and gain privileges they shouldn’t have. This guide walks through the most effective JSON payload variations you can use to test registration flows and uncover silent logic flaws.
Why these bugs matter
Most frameworks deserialize JSON into objects automatically. If the server doesn’t enforce a strict allowlist of accepted fields, even a harmless-looking signup request can inject sensitive attributes like roles, admin flags, verification states or organization assignments. Understanding how different payload shapes behave is one of the most reliable ways to detect mass-assignment issues early.
📝 Note: Before you continue into this article, take a moment to read the earlier one where I walked through the common techniques used in signup and…