Mass Assignment

If the code accepting HTTP requests from these pages allows any field on the User object to be updated, an attacker can easily make themselves an administrator.

controllers/profile_controller.rb

    class ProfileController < ActionController::Base

    # Danger: since we are not specifying which parameters should be editable,
    # an attack can update any values on the their profile!
    def update_username
      current_user.update!(params)
    end
  end 