5.2 KiB
Parameter Pollution
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
HTTP Parameter Pollution (HPP) Overview
HTTP Parameter Pollution (HPP) is an attack technique involving the manipulation of HTTP parameters to alter a web application's expected behavior. This kind of attack is relatively straightforward but can be remarkably effective. Although the parameter manipulation occurs server-side and is not visible to the user, the resulting behavior changes can be observed on the client side.
##Example of HTTP Parameter Pollution (HPP)
Consider a standard transaction URL for a banking application:
URL: https://www.victim.com/send/?from=accountA&to=accountB&amount=10000
This URL initiates a transaction of 10,000 from accountA to accountB. However, introducing another from parameter like so:
Manipulated URL: https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC
might result in the transaction being deducted from accountC instead of accountA. This exemplifies how HPP can be used to manipulate parameters. Notably, this vulnerability is not confined to GET requests but can also be exploited in POST requests across various functionalities such as password changes, 2FA, or API key transmissions.
It's important to recognize that parameter parsing is dependent on the specific web technology in use. Tools like Wappalyzer can be used to identify web technologies and understand their parameter parsing behaviors.
PHP
A notable instance of exploiting HPP involved the following steps:
- OTP Manipulation:
- A login page requesting an OTP was the target.
- After sending an OTP request, the subsequent HTTP request was intercepted using Burp Suite.
- Another email was added to the request, effectively duplicating the
emailparameter. - The OTP intended for the first email was mistakenly sent to the second email, allowing unauthorized access to the first account.
This incident underscores how the application backend processed the email parameters, utilizing the first for OTP generation and the second for OTP delivery.
Parameter Parsing in Flask & PHP
Different web technologies parse parameters uniquely. For instance, with a query like a=1&a=2, Flask and PHP will interpret the parameter differently:
- Flask: Takes the first occurrence (a=1).
- PHP (on Apache HTTP Server): Takes the last occurrence (a=2).
This difference in parameter handling can significantly impact application behavior and vulnerability to HPP attacks. More details on this can be found in this writeup.
References
- https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654
- https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.