<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
	<channel>
		<title>Mass-Assignment on Crusader Research</title>
		<link>https://crusaderproxy.com/research/en/tags/mass-assignment/</link>
		<description>Recent content in Mass-Assignment on Crusader Research</description>
		<generator>Hugo</generator>
		<language>en-US</language>
		
		
		
		
			<lastBuildDate>Sun, 05 Jul 2026 00:00:00 +0000</lastBuildDate>
		
			<atom:link href="https://crusaderproxy.com/research/en/tags/mass-assignment/index.xml" rel="self" type="application/rss+xml" />
			<item>
				<title>Parameter mining: brute-forcing 65,000 inputs in 40 requests</title>
				<link>https://crusaderproxy.com/research/en/posts/hidden-parameter-mining/</link>
				<pubDate>Sun, 05 Jul 2026 00:00:00 +0000</pubDate>
				<guid>https://crusaderproxy.com/research/en/posts/hidden-parameter-mining/</guid>
				<description>&lt;p&gt;Every endpoint has two input surfaces: the parameters the client sends, and the parameters the server will bind &lt;em&gt;if you happen to name them&lt;/em&gt;. The second surface never appears in your proxy history, never appears in the OpenAPI spec, and never gets a test written against it — which is exactly why the privilege flags and debug toggles live there. A framework binds request fields onto a model. The web and mobile clients populate six of them. The other four — &lt;code&gt;is_admin&lt;/code&gt;, &lt;code&gt;debug&lt;/code&gt;, &lt;code&gt;internal_notes&lt;/code&gt;, &lt;code&gt;account_id&lt;/code&gt; — are wired up, honored, and completely untested because nobody sends inputs they don&amp;rsquo;t know exist.&lt;/p&gt;</description>
			</item>
	</channel>
</rss>
