Mass Assigner is a powerful tool designed to identify and exploit mass assignment vulnerabilities in web applications. It achieves this by first retrieving data from a specified request, such as fetching user profile data. Then, it systematically attempts to apply each parameter extracted from the response to a second request provided, one parameter at a time. This approach allows for the automated testing and exploitation of potential mass assignment vulnerabilities.
Disclaimer
This tool actively modifies server-side data. Please ensure you have proper authorization before use. Any unauthorized or illegal activity using this tool is entirely at your own risk.
Features
Enables the addition of custom headers within requests Offers customization of various HTTP methods for both origin and target requests Supports rate-limiting to manage request thresholds effectively Provides the option to specify “ignored parameters” which the tool will ignore during execution Improved the support in nested arrays/objects inside JSON data in responses
What’s Next
Support additional content types, such as “application/x-www-form-urlencoded”
Installation & Usage
Install requirements
pip3 install -r requirements.txt
Run the script
python3 mass_assigner.py –fetch-from “http://example.com/path-to-fetch-data” –target-req “http://example.com/path-to-probe-the-data”
Arguments
Forbidden Buster accepts the following arguments:
-h, –help show this help message and exit
–fetch-from FETCH_FROM
URL to fetch data from
–target-req TARGET_REQ
URL to send modified data to
-H HEADER, –header HEADER
Add a custom header. Format: ‘Key: Value’
-p PROXY, –proxy PROXY
Use Proxy, Usage i.e: http://127.0.0.1:8080.
-d DATA, –data DATA Add data to the request body. JSON is supported with escaping.
–rate-limit RATE_LIMIT
Number of requests per second
–source-method SOURCE_METHOD
HTTP method for the initial request. Default is GET.
–target-method TARGET_METHOD
HTTP method for the modified request. Default is PUT.
–ignore-params IGNORE_PARAMS
Parameters to ignore during modification, separated by comma.
Example Usage:
python3 mass_assigner.py –fetch-from “http://example.com/api/v1/me” –target-req “http://example.com/api/v1/me” –header “Authorization: Bearer XXX” –proxy “http://proxy.example.com” –data ‘{“param1”: “test”, “param2”:true}’
