OWASP API3:2023 Broken Object Property Level Authorization. APIs often take JSON payloads and directly bind them to internal objects or database records (Mass Assignment). Attackers can inject unauthorized fields (e.g., "is_admin": true) into the payload.

• Never blindly map request bodies to database objects.
• Use Data Transfer Objects (DTOs) or strict allowlists that explicitly define which fields a user is allowed to update.

// VULNERABLE
// Binds the entire req.body directly to the database update
await User.update(req.params.id, req.body);

// SECURE
// Explicitly destructure and allowlist only safe fields
const { email, firstName, lastName } = req.body;
await User.update(req.params.id, { email, firstName, lastName });