Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4429: No subject

Browse source
This commit is contained in:
CPol 2024-11-12 12:17:34 +00:00 committed by gitbook-bot
parent 2a67d6a452
commit 42b2b7ec05
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 105 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
SUMMARY.md
View file

@ -604,7 +604,7 @@
* [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
* [Open Redirect](pentesting-web/open-redirect.md)
* [ORM Injection](pentesting-web/orm-injection.md)
* [Parameter Pollution](pentesting-web/parameter-pollution.md)
* [Parameter Pollution | JSON Injection](pentesting-web/parameter-pollution.md)
* [Phone Number Injections](pentesting-web/phone-number-injections.md)
* [PostMessage Vulnerabilities](pentesting-web/postmessage-vulnerabilities/README.md)
* [Blocking main page to steal postmessage](pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md)

105
pentesting-web/parameter-pollution.md
View file

@ -1,4 +1,4 @@
# Parameter Pollution
# Parameter Pollution | JSON Injection
## Parameter Pollution
@ -136,11 +136,114 @@ There results were taken from [https://medium.com/@0xAwali/http-parameter-pollut
1. NOT Recognized name\[] .
2. Prefer the last parameter .
## JSON Injection
### Duplicate keys
```ini
obj = {"test": "user", "test": "admin"}
```
The front-end might believe the first ocurrence while the backend uses the second ocurrence of the key.
### Key Collision: Character Truncation and Comments
Certain characters aren't going to be correctly interpreted by the frontend but the backend will interpret them and use those keys, this could be useful to **bypass certain restrictions**:
```json
{"test": 1, "test\[raw \x0d byte]": 2}
{"test": 1, "test\ud800": 2}
{"test": 1, "test"": 2}
{"test": 1, "te\st": 2}
```
Note how in these cases the front end might think that `test == 1` and the backend will think that `test == 2`.
This can also by used to bypass value restrictions like:
```json
{"role": "administrator\[raw \x0d byte]"}
{"role":"administrator\ud800"}
{"role": "administrator""}
{"role": "admini\strator"}
```
### **Using Comment Truncation**
{% code overflow="wrap" %}
```ini
obj = {"description": "Duplicate with comments", "test": 2, "extra": /*, "test": 1, "extra2": */}
```
{% endcode %}
Here we will use the serializer from each parser to view its respective output.
Serializer 1 (e.g., GoLang's GoJay library) will produce:
* `description = "Duplicate with comments"`
* `test = 2`
* `extra = ""`
Serializer 2 (e.g., Java's JSON-iterator library) will produce:
* `description = "Duplicate with comments"`
* `extra = "/*"`
* `extra2 = "*/"`
* `test = 1`
Alternatively, straightforward use of comments can also be effective:
```ini
obj = {"description": "Comment support", "test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/}
```
Javas GSON library:
```json
{"description":"Comment support","test":1,"extra":"a"}
```
Rubys simdjson library:
```json
{"description":"Comment support","test":2,"extra":"a","extra2":"b"}
```
### **Inconsistent Precedence: Deserialization vs. Serialization**
```ini
obj = {"test": 1, "test": 2}
obj["test"] // 1
obj.toString() // {"test": 2}
```
### Float and Integer
The number
```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
```
can be decoded to multiple representations, including:
```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
9.999999999999999e95
1E+96
0
9223372036854775807
```
Which might create inconsistences
## References
* [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)
* [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution)
* [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
* [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>