Parameter Pollution |
Overview HTTP Parameter Pollution may occur when multiple parameters with the same name are sent to a web page. The web server may exhibit odd behavior and process the request despite having multiple parameters with the same name. There is nothing in the HTTP protocol that forbids passing multiple parameters with the same name. Web application servers will sometimes take the first parameter, the second parameter, or concatenate both together. This can allow an attacker to poison the input. Discovery Methodology Choose any parameter and duplicate that parameter. Give the copy a different value to make detection easier. Submit the request and observer how the web server deals with the polluted parameter. Note carefully whether the server processes the value from the first parameter, the second parameter, or merges both values together. Exploitation Once it is know how the web server will use the parameters, use parameter pollution. For example, if the web server concatenates values, submit half of the payload in the first copy and half in the second allowing the web server to put the values together. This allows WAF and validation bypass in some cases. Example Example for page user-poll.php Change the value of the submit button. Add "&choice=something" to the current value. This will create a second "choice" parameter in the GET. Note which choice parameter is actually processed. Is it the correct parameter or the injected parameter? Change the value of the hidden parameter which comes before the real "choice" parameter. Add "&choice=something" to the current value. This will create a second "choice" parameter in the GET. Note which choice parameter is actually processed. Is it the correct parameter or the injected parameter? Videos Click here to watch Introduction to HTTP Parameter Pollution |