The blog post discusses the importance of being vigilant and cautious while dealing with APIs, especially when there is a lack of information about the data being assigned by the API.
It highlights the vulnerability of mass assignment, where an attacker can exploit the lack of input validation and manipulate the code to perform unintended actions.
The author explains the steps to reproduce the mass assignment vulnerability by accessing the target page, logging in, adding items to the cart, enabling interception, and observing the parameters on the checkout page.
They discovered that the “chosen_discount” parameter is vulnerable to mass assignment, allowing an attacker to exploit it and potentially gain unauthorized access or manipulate data.
The post emphasizes the importance of input validation and output escaping when dealing with APIs to prevent such vulnerabilities.
Finally, the author recommends adopting a proactive approach to security and encourages developers to take appropriate measures to identify and address potential mass assignment vulnerabilities in their applications.