Week 52 - Parameter Pollution

This week’s #WebHackingSeries tip covers HTTP Parameter Pollution! Parameter Pollution occurs when you specify a duplicate GET or POST parameter, with the goal of tricking the application into issuing an unauthorized request. Say we have the following URL: victim[.]com/auth/generate_otp?email=user@user[.]com&method=email This URL generates a One-Time-Password for users to log in to their account. We can trick a vulnerable application by using parameter pollution: victim[.]com/auth/generate_otp?email=user@user[.]com&email=jake@hacker[.]com&method=email Note the additional GET parameter ‘email’, which contains jake@hacker[.]com. Assuming this application is vulnerable, the back-end would use the first ‘email’ parameter to generate the OTP, and the second ‘email’ parameter to send the OTP. Thus, allowing jake@hacker[.]com to take over the account user@user[.]com through a parameter pollution attack. Hit me with a follow for more Offensive Security Tips!