User Role Escalation

Easy+50 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentPrivilege Escalation

Scenario

Your API exposes a user-update endpoint. The handler blindly merges the incoming JSON body onto the stored user object. A regular user discovers they can include a 'role' field and instantly become an admin.

Mass-assignment vulnerabilities arise when request data is applied to a model without an explicit allowlist. Any field the model contains — including privileged ones — becomes writable.

Mass assignment is one of the fastest privilege escalation paths. A single missing allowlist lets any authenticated user rewrite their own role, verified status, or any other sensitive attribute.

Your Tasks

Fix updateUser so that only the fields 'name', 'email', and 'bio' can be changed. Any other fields (including 'role') in the updates object must be silently ignored.

Examples

Example 1 — Role escalation blocked

updateUser('alice', 'alice', { role: 'admin' }, db)
// returns user with role still 'user'

Example 2 — Allowed fields accepted

updateUser('alice', 'alice', { name: 'Alice B.' }, db)
// returns user with updated name

Constraints

›Throw exactly 'Forbidden' when requestingUserId !== targetUserId
›Throw exactly 'Not found' when the target user does not exist
›Return the updated user object
›Only name, email, and bio may be modified

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run