Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-14 00:47:24 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['pentesting-web/parameter-pollution.md'] to sw

Browse source
This commit is contained in:
Translator 2024-11-12 12:25:31 +00:00
parent 8e774be4f7
commit 4028a9cb10
2 changed files with 113 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -604,7 +604,7 @@
* [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
* [Open Redirect](pentesting-web/open-redirect.md)
* [ORM Injection](pentesting-web/orm-injection.md)
* [Parameter Pollution](pentesting-web/parameter-pollution.md)
* [Parameter Pollution | JSON Injection](pentesting-web/parameter-pollution.md)
* [Phone Number Injections](pentesting-web/phone-number-injections.md)
* [PostMessage Vulnerabilities](pentesting-web/postmessage-vulnerabilities/README.md)
* [Blocking main page to steal postmessage](pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md)

139
pentesting-web/parameter-pollution.md
View file

@ -1,18 +1,18 @@
# Parameter Pollution
# Parameter Pollution | JSON Injection
## Parameter Pollution
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
@ -21,9 +21,9 @@ Jifunze na fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png"
{% embed url="https://websec.nl/" %}
## Muhtasari wa HTTP Parameter Pollution (HPP)
## HTTP Parameter Pollution (HPP) Overview
HTTP Parameter Pollution (HPP) ni mbinu ambapo washambuliaji wanabadilisha vigezo vya HTTP ili kubadilisha tabia ya programu ya wavuti kwa njia zisizokusudiwa. Ubadilishaji huu unafanywa kwa kuongeza, kubadilisha, au kuiga vigezo vya HTTP. Athari za ubadilishaji huu hazionekani moja kwa moja kwa mtumiaji lakini zinaweza kubadilisha kwa kiasi kikubwa utendaji wa programu upande wa seva, huku zikiwa na athari zinazoweza kuonekana upande wa mteja.
HTTP Parameter Pollution (HPP) ni mbinu ambapo washambuliaji wanabadilisha vigezo vya HTTP ili kubadilisha tabia ya programu ya wavuti kwa njia zisizokusudiwa. Ubadilishaji huu unafanywa kwa kuongeza, kubadilisha, au kuiga vigezo vya HTTP. Athari za mabadiliko haya hazionekani moja kwa moja kwa mtumiaji lakini zinaweza kubadilisha kwa kiasi kikubwa utendaji wa programu upande wa seva, huku zikiwa na athari zinazoweza kuonekana upande wa mteja.
### Mfano wa HTTP Parameter Pollution (HPP)
@ -35,11 +35,11 @@ Kwa kuingiza vigezo vya ziada `from`:
* **URL iliyobadilishwa:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC`
Muamala unaweza kuchajiwa kwa makosa kwa `accountC` badala ya `accountA`, ikionyesha uwezo wa HPP kubadilisha miamala au kazi nyingine kama vile upya wa nywila, mipangilio ya 2FA, au maombi ya funguo za API.
Muamala unaweza kuchajiwa kwa makosa kwa `accountC` badala ya `accountA`, ikionyesha uwezo wa HPP kubadilisha miamala au kazi nyingine kama vile kurekebisha nywila, mipangilio ya 2FA, au maombi ya funguo za API.
#### **Uchambuzi wa Vigezo Maalum kwa Teknolojia**
* Njia ambayo vigezo vinavyotafsiriwa na kupewa kipaumbele inategemea teknolojia ya wavuti inayotumika, ikihusisha jinsi HPP inavyoweza kutumika.
* Njia vigezo vinavyopangwa na kupewa kipaumbele inategemea teknolojia ya wavuti inayotumika, ikihusisha jinsi HPP inavyoweza kutumika.
* Zana kama [Wappalyzer](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/) husaidia kubaini teknolojia hizi na tabia zao za uchambuzi.
### PHP na HPP Ukatili
@ -47,28 +47,28 @@ Muamala unaweza kuchajiwa kwa makosa kwa `accountC` badala ya `accountA`, ikiony
**Kesi ya Ubadilishaji wa OTP:**
* **Muktadha:** Mfumo wa kuingia unahitaji Nambari ya Muda Mmoja (OTP) ulitumiwa vibaya.
* **Mbinu:** Kwa kukamata ombi la OTP kwa kutumia zana kama Burp Suite, washambuliaji waligundua vigezo vya `email` katika ombi la HTTP.
* **Matokeo:** OTP, iliyokusudiwa kwa barua pepe ya awali, ilitumwa badala yake kwa anwani ya pili ya barua pepe iliyotajwa katika ombi lililobadilishwa. Kasoro hii iliruhusu ufikiaji usioidhinishwa kwa kukwepa kipimo cha usalama kilichokusudiwa.
* **Mbinu:** Kwa kukamata ombi la OTP kwa kutumia zana kama Burp Suite, washambuliaji waliga vigezo vya `email` katika ombi la HTTP.
* **Matokeo:** OTP, iliyokusudiwa kwa barua pepe ya awali, ilitumwa badala yake kwa anwani ya barua pepe ya pili iliyotajwa katika ombi lililobadilishwa. Kasoro hii iliruhusu ufikiaji usioidhinishwa kwa kukwepa kipimo cha usalama kilichokusudiwa.
Hali hii inaonyesha makosa muhimu katika nyuma ya programu, ambayo ilipokea kigezo cha kwanza cha `email` kwa ajili ya uzalishaji wa OTP lakini ilitumia cha mwisho kwa ajili ya usambazaji.
Hali hii inaonyesha makosa makubwa katika nyuma ya programu, ambayo ilipokea kigezo cha kwanza cha `email` kwa ajili ya uzalishaji wa OTP lakini ilitumia cha mwisho kwa ajili ya usambazaji.
**Kesi ya Ubadilishaji wa Funguo za API:**
* **Hali:** Programu inaruhusu watumiaji kuboresha funguo zao za API kupitia ukurasa wa mipangilio ya wasifu.
* **Njia ya Shambulio:** Mshambuliaji anagundua kwamba kwa kuongezea kigezo cha ziada `api_key` kwenye ombi la POST, wanaweza kubadilisha matokeo ya kazi ya kuboresha funguo za API.
* **Mbinu:** Kwa kutumia zana kama Burp Suite, mshambuliaji anaunda ombi ambalo lina vigezo viwili vya `api_key`: kimoja halali na kingine kibaya. Seva, ikichakata tu matukio ya mwisho, inasasisha funguo za API kwa thamani iliyotolewa na mshambuliaji.
* **Hali:** Programu inaruhusu watumiaji kubadilisha funguo zao za API kupitia ukurasa wa mipangilio ya wasifu.
* **Njia ya Shambulio:** Mshambuliaji anagundua kwamba kwa kuongeza kigezo cha ziada `api_key` kwenye ombi la POST, wanaweza kubadilisha matokeo ya kazi ya kubadilisha funguo za API.
* **Mbinu:** Kwa kutumia zana kama Burp Suite, mshambuliaji anaunda ombi ambalo lina vigezo viwili vya `api_key`: kimoja halali na kingine kibaya. Seva, ikipokea tu matukio ya mwisho, inasasisha funguo za API kwa thamani iliyotolewa na mshambuliaji.
* **Matokeo:** Mshambuliaji anapata udhibiti juu ya utendaji wa API wa mwathirika, akipata au kubadilisha data binafsi bila idhini.
Mfano huu unasisitiza zaidi umuhimu wa kushughulikia vigezo kwa usalama, hasa katika vipengele muhimu kama vile usimamizi wa funguo za API.
### Uchambuzi wa Vigezo: Flask vs. PHP
Njia ambayo teknolojia za wavuti zinashughulikia vigezo vya HTTP vilivyopigwa ni tofauti, ikihusisha uwezekano wao wa kushambuliwa na HPP:
Njia teknolojia za wavuti zinavyoshughulikia vigezo vya HTTP vilivyopigwa ni tofauti, ikihusisha uwezekano wao wa kushambuliwa na HPP:
* **Flask:** Inachukua thamani ya kigezo cha kwanza kilichokutana, kama vile `a=1` katika mfuatano wa maswali `a=1&a=2`, ikipa kipaumbele mfano wa awali kuliko nakala zinazofuata.
* **Flask:** Inachukua thamani ya kigezo cha kwanza kilichokutana, kama vile `a=1` katika mfuatano wa maswali `a=1&a=2`, ikipa kipaumbele toleo la awali kuliko nakala zinazofuata.
* **PHP (katika Apache HTTP Server):** Kinyume chake, inapa kipaumbele thamani ya mwisho ya kigezo, ikichagua `a=2` katika mfano uliopewa. Tabia hii inaweza kwa bahati mbaya kuruhusu HPP kutumika kwa kuheshimu kigezo kilichobadilishwa na mshambuliaji badala ya asili.
## Uharibifu wa vigezo kwa teknolojia
## Parameter pollution by technology
Matokeo haya yalichukuliwa kutoka [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
@ -96,7 +96,7 @@ Matokeo haya yalichukuliwa kutoka [https://medium.com/@0xAwali/http-parameter-po
1. POST RequestMapping == PostMapping & GET RequestMapping == GetMapping.
2. POST RequestMapping & PostMapping inatambua jina\[].
3. Pendelea jina ikiwa jina NA jina\[] vinapatikana.
4. Unganisha vigezo mfano wa kwanza, mwisho.
4. Unganisha vigezo e.g. kwanza, mwisho.
5. POST RequestMapping & PostMapping inatambua kigezo cha swali chenye Aina ya Maudhui.
### **NodeJS** 20.17.0 **NA** Express 4.21.0 <a href="#id-6d72" id="id-6d72"></a>
@ -104,7 +104,7 @@ Matokeo haya yalichukuliwa kutoka [https://medium.com/@0xAwali/http-parameter-po
<figure><img src="../.gitbook/assets/image (1259).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*JzNkLOSW7orcHXswtMHGMA.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*JzNkLOSW7orcHXswtMHGMA.jpeg</a></p></figcaption></figure>
1. Inatambua jina\[].
2. Unganisha vigezo mfano wa kwanza, mwisho.
2. Unganisha vigezo e.g. kwanza, mwisho.
### GO 1.22.7 <a href="#id-63dc" id="id-63dc"></a>
@ -134,27 +134,112 @@ Matokeo haya yalichukuliwa kutoka [https://medium.com/@0xAwali/http-parameter-po
1. Haitaeleweka jina\[].
2. Pendelea kigezo cha mwisho.
## Marejeleo
## JSON Injection
### Duplicate keys
```ini
obj = {"test": "user", "test": "admin"}
```
The front-end inaweza kuamini tukio la kwanza wakati backend inatumia tukio la pili la ufunguo.
### Key Collision: Character Truncation and Comments
Makala fulani hazitatafsiriwa vizuri na frontend lakini backend itazitafsiri na kutumia ufunguo hizo, hii inaweza kuwa na manufaa ili **kupita vizuizi fulani**:
```json
{"test": 1, "test\[raw \x0d byte]": 2}
{"test": 1, "test\ud800": 2}
{"test": 1, "test"": 2}
{"test": 1, "te\st": 2}
```
Kumbuka jinsi katika hizi kesi upande wa mbele unaweza kufikiri kwamba `test == 1` na upande wa nyuma utafikiri kwamba `test == 2`.
Hii pia inaweza kutumika kupita vizuizi vya thamani kama:
```json
{"role": "administrator\[raw \x0d byte]"}
{"role":"administrator\ud800"}
{"role": "administrator""}
{"role": "admini\strator"}
```
### **Kutumia Kukata Maoni**
{% code overflow="wrap" %}
```ini
obj = {"description": "Duplicate with comments", "test": 2, "extra": /*, "test": 1, "extra2": */}
```
{% endcode %}
Hapa tutatumia serializer kutoka kila parser ili kuona matokeo yake.
Serializer 1 (mfano, maktaba ya GoJay ya GoLang) itatoa:
* `description = "Duplicate with comments"`
* `test = 2`
* `extra = ""`
Serializer 2 (mfano, maktaba ya JSON-iterator ya Java) itatoa:
* `description = "Duplicate with comments"`
* `extra = "/*"`
* `extra2 = "*/"`
* `test = 1`
Vinginevyo, matumizi rahisi ya maoni yanaweza pia kuwa na ufanisi:
```ini
obj = {"description": "Comment support", "test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/}
```
Maktaba ya GSON ya Java:
```json
{"description":"Comment support","test":1,"extra":"a"}
```
Maktaba ya simdjson ya Ruby:
```json
{"description":"Comment support","test":2,"extra":"a","extra2":"b"}
```
### **Kukosekana kwa Kipaumbele: Deserialization dhidi ya Serialization**
```ini
obj = {"test": 1, "test": 2}
obj["test"] // 1
obj.toString() // {"test": 2}
```
### Float and Integer
Nambari
```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
```
inaweza kufasiriwa kwa uwakilishi mwingi, ikiwa ni pamoja na:
```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
9.999999999999999e95
1E+96
0
9223372036854775807
```
Which might create inconsistences
## References
* [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)
* [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution)
* [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
* [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
{% embed url="https://websec.nl/" %}
{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
Jifunze & fanya mazoezi ya AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}