Java - Parameter Binding

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:java-parameter-binding
$ sudo docker run -ti -p blabla1337/owasp-skf-lab:java-parameter-binding

Now that the app is running let's go hacking!


Mass assignment is a computer vulnerability where an active record pattern in a web application is abused to modify data items that the user should not normally be allowed to access such as password, granted permissions, or administrator status.

Please take note of the following code in the . This line of code will prove critical for exploiting the parameter binding attack.

  public String createUser(User user, Model model) { // here is the issue
    model.addAttribute("content", "Your user has been created");
    return "index";

To fully understand the attack we need to examine the properties "User" model, which looks like this:

public User(String username, String password, Boolean isAdmin) {
  this.username = username;
  this.password = password;
  this.isAdmin = isAdmin;


Now, let's examine the target application and determine the objective.

Let's register a new user

Log in as the new user

Let's register a new user and intercept the request on Burp.

As we saw in this line of code:

public String createUser(User user, Model model)

Maybe if we add another parameter in the request this parameter will also pass to our new User.

Now if we login.

Bingo! We have now created a new user with Admin privileges.

Additional sources

Please refer to the OWASP cheat sheet for a full complete description about parameter binding attacks.

Last updated