GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Mass Assignment
in ServiceStack

Executive Summary

Mass Assignment in ServiceStack occurs when an application automatically binds incoming HTTP request parameters to internal domain models or database entities without proper filtering. In ServiceStack, this typically manifests through the reckless use of the `.PopulateWith()` extension method or by sharing DTOs directly with ORM models. An attacker can inject unexpected fields (e.g., 'IsAdmin', 'Permissions', 'Balance') into the JSON payload, which the server then persists to the database, leading to privilege escalation or data corruption.

The Vulnerable Pattern

VULNERABLE CODE
// Request DTO exposing sensitive fields
public class UpdateUser : IReturnVoid {
    public int Id { get; set; }
    public string DisplayName { get; set; }
    public bool IsAdmin { get; set; } // Sensitive field exposed to the client
}

// Service implementation
public class UserService : Service {
public void Any(UpdateUser request) {
var user = Db.SingleById(request.Id);


    // VULNERABILITY: Blindly mapping the DTO to the Entity
    // If the attacker sends { "Id": 1, "IsAdmin": true }, they gain admin rights.
    user.PopulateWith(request);
    
    Db.Update(user);
}


}

The Secure Implementation

To remediate Mass Assignment, apply the Principle of Least Privilege to your DTOs. 1) Never reuse Database Entities as Request DTOs; create specific 'Input Models' that only contain fields the user is permitted to touch. 2) Stop using 'PopulateWith(request)' on existing entities unless you are passing a whitelist of property names. 3) Always fetch the target record ID from a trusted source (like an encrypted Session) rather than trusting an ID provided in the request body, preventing Insecure Direct Object Reference (IDOR) combined with Mass Assignment.

SECURE CODE
// Secure Request DTO: Only contains fields the user is allowed to modify
public class UpdateUser : IReturnVoid {
    public string DisplayName { get; set; }
}

// Secure Service implementation
public class UserService : Service {
public void Any(UpdateUser request) {
// Get the ID from the authenticated session, not the request body
var session = GetSession();
var userId = session.UserAuthId.ToInt();


    var user = Db.SingleById<User>(userId);
    if (user == null) throw HttpError.NotFound("User not found");

    // FIX: Explicit mapping. Only update authorized fields.
    user.DisplayName = request.DisplayName;

    // Alternatively, use PopulateWith with a whitelist if using ServiceStack 5.x+
    // user.PopulateWith(request, propertyNames: new[] { nameof(UpdateUser.DisplayName) });

    Db.Update(user);
}


}

System Alert • ID: 3378
Target: ServiceStack API
Potential Vulnerability

Your ServiceStack API might be exposed to Mass Assignment

74% of ServiceStack apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X