Admin Flag Injection

Medium+100 XPA08:2021 Software and Data Integrity FailuresCWE-915

Mass AssignmentPrivilege EscalationRegistration

Scenario

Your registration endpoint creates a new user from the incoming request body. The handler spreads the entire payload into the new user object, trusting that clients will only send name, email, and password.

An attacker adds 'isAdmin: true' to the registration payload. Because the handler never strips this field, the freshly created account has full admin privileges from the moment of registration.

Admin flag injection through registration is a classic first-day vulnerability. If not caught in code review, it can go live and allow any registrant to become an administrator.

Your Tasks

Fix registerUser so that isAdmin is always set to false regardless of what userData contains. The id should be generated as 'user-' + db.length.

Examples

Example 1 — Admin flag stripped on registration

registerUser({ name: 'Eve', email: 'eve@x.com', isAdmin: true }, db)
// returns { isAdmin: false }

Constraints

›Return the created user object with id, name, email, isAdmin
›isAdmin must always be false in the returned object
›id must be 'user-' + db.length (before push)

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/915.html

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run