Week 52 - Parameter Pollution
Last updated
Last updated
This week’s #WebHackingSeries tip covers HTTP Parameter Pollution!
Parameter Pollution occurs when you specify a duplicate GET or POST parameter, with the goal of tricking the application into issuing an unauthorized request. Say we have the following URL:
victim[.]com/auth/generate_otp?email=user@user[.]com&method=email
This URL generates a One-Time-Password for users to log in to their account. We can trick a vulnerable application by using parameter pollution:
victim[.]com/auth/generate_otp?email=user@user[.]com&email=jake@hacker[.]com&method=email
Note the additional GET parameter ‘email’, which contains jake@hacker[.]com. Assuming this application is vulnerable, the back-end would use the first ‘email’ parameter to generate the OTP, and the second ‘email’ parameter to send the OTP. Thus, allowing jake@hacker[.]com to take over the account user@user[.]com through a parameter pollution attack.
Hit me with a follow for more Offensive Security Tips!