HTTP Parameter Pollution Explained

This is gold, I'm glad this was randomly recommended to me

I’m definitely not infosec, your videos attract people and you are definitely a special channel for being able to pull anyone into the topic

This is great content, you'll go places.

Another interesting angle I only recently learned of about messing with query parameters is that (at least in PHP) ending a parameter with square brackets (like "e[]=cats ) will cause the type of $_GET['quote'] (without the brackets) to no longer be a scalar string but rather an array, which can also mess logic up if not properly checked/handled.

You actually made me realise that my Express app is insecure in the context I woudn't have even think of. I was explicitly assuming all parameters would be as strings, not arrays. Fortunately it's nothing severe and it doesn't crash the server, it just throws 500 anyways but it's good to be aware. :)

Lesson: If you’re not escaping output and casting/coercing data on input then you’re doing it wrong. i.e. Always escape content to the correct encoding when outputting (e.g. escape HTML entities when output to HTML, encode URL/URI entities when intended for a URI parameter, etc). Also, always force the type when taking input and also perform some basic validation. E.g. if it’s a string, cast it to a string, validate it and/or compare it to a set of known possible values and so on (that’s just a limited example). Basically….
Treat ALL input as hostile.

Developer here, your video was randomly recommended to me, and while I'm familiar with many injection-type attacks, I hadn't actually seen this one before. Thanks for the info, that was really interesting.

PHP backend dev here, info sec only as hobby. Thank you so much for this. You've gained a loyal subscriber.

"Parse, don't validate." This is why it's so important to coerce requests into structured data where invariants are enforced, rather than manually checking for bad behavior.

I love the subtle Matrix reference with the names.

This really is an amazing video dude, please do not stop creating content

You explain it so well. Don't stop creating content! InfoSec Community loves you!

Dev here. This was recommended at random, and it's spot on.
You have a knack to teach things, which is not the most common thing!
Pace, focus, depth... I've subscribed to your channel. Keep it up.

Recently got a project where I need to consider this kinda thing, so glad you came up in my recommended

im a dev and i watch ur videos.. was not shared by a infosec friend, but rather i subscribe to infosec to keep myself on my toes.

Nice overview of a simple CSRF attack. This form of attack is marked on the top 25 most dangerous software weaknesses in 2020. It is also an easy attack to resolve.

The algorithm has blessed me with this video

As a developer, I'm always looking to learn new stuff. Cheers for adding another bit of info to my life. Subbed!

I feel like the default behavior of a web framework should be to throw an error in this case, and force you to specify which behavior you want if you really need it.

Definitely something I will search for in the web applications I am developing at work! Thanks for the great content!

now this is the type of content I'm looking for !! great job

One of the finest content I have ever found on TH-cam. Please don't stop making videos. I will patron you.

This is amazing content! subscribed

Keep it up! Great content, I wd say the best content for me on sec-field so far!

Awesome video like always:). Keep em coming!

Amazing... I am impressed .. Keep'em coming..

Wonderfully explained! Thank you!

Man I swear you're brilliant

Sick video, keep up the good work!

Awesome Content!
Keep doing it man!

explaination is clean, easy to understand and enjoyable.

First time here you really did a great job in this tutorial. Thanks for this

i realy understand in one go .. THANKS man!..great content

Nice simple thing, well explained

Subscribed! ...Useful and interesting and intelligent content!!

Not in the infosec community but still in uni (gonna do software dev after), really helpful video for when doing critical work to keep these things in mind, thank you

Great content. Made me understand it. Here before 100k!

Your videos are wonderful. Thank you so much! I

Nice vid, keep up the good work!:)

I'm not InfoSec, but the way you explain is really clearly and I love it. Keep going sir!

Wow Amazing . So clear :) Thanks

Lit content man, amazing

Excellent! Infosec here for sure, but I will be sharing this with my developers.

pretty cool intro mate, thanks for sharing

really good video, so clear and make sense

I'm glad it got into my recommended

Web developer trying to get better. You came up recommended after a Nextjs Auth with Firebase tutorital and have been binging. Love the content and looking forward to making my applications more secure.
Thank You!

Thanks. I had no idea about this

Loving this channel and expecting for future content

This is really awesome 😎... I love your videos ❤️❤️

Great explanation bruh ....... keep making such videos !!!
Love from INDIA, Mumbai :)

Amazing video, subbed

Your contents are best

I work for a team that's vaguely in the infosec world, but actually am a fullstack web dev, so your message hit its mark.

Yo this content is so lit! Love it

Another great video!
Please keep them coming..

Great video !!

Dude you are awesome.

really great content. good luck sir .

Wow i am so glad i got this channel suggested gj

cool, never thought of that

I learned alot from this.

Great videos! You are a natural at explaining the topics in an easy to understand manner and at a perfect pace. The Hacker101 videos are nice, but they go way too fast and not enough depth. You doing this perfectly! You might consider redoing their videos in a new series breaking them down into smaller chunks. Great work, please keep them coming. You might setup a patreon as well. I’d glad support you financially

I coded a few rudimentary webservers from scratch and in one where I used query parameters, I came across the conundrum of how to address multiple matches, among other syntactic oddities. Interesting to see that this question can be highly significant.

The best youtuber award goes to @PwnFunction
You are awssome
keep doing this type of content

Great content

Wow thanks man ❤️

That was AWSOME

Very good video, keep going !

Amazing work thanks for sharing

Awesome! Keep continuing

"You can still find a lot of those vulnerabilities because the developers don't really know about it"
... so true. I first learned about this unstandardized behaviour when I needed to parse a query parameter as an array. There simply is no standard for that! I also worked with a lot of the technologies you mentioned... and even though I was really annoyed by the missing standardization and I certainly noticed it I didn't have the realization that this could lead to vulnerabilities :O
Thanks to your video I have informed the team for which I used to work to look into the messes I might have produced. Thanks!

Amazing quality

Thanks heaps. Well explained.

This video blew my mind

Great!
Thank you

I will definitely watch out for this attack in my Flask app, thanks!!

Very interesting content, thank you.

Just love the animation

WOAH!
YOU'RE MY HERO

Awesome Video :) I was quite confused with HPP attack. Please make more videos like this on XXE, SSRF :D

you make a small website for every video? that definetly earned my sub !

Thenk you for giving me inspiration that I can be developer. Instant sub.

Awesome dude!

Very underrated channel

nicely explained!!

I love the way you explain bro.....specially..those sketchy diagrams. Make more videos bro.

Concepts are cleared buddy :)

Excellent 🥰

plz never stop making videos

This is freaking awesome 😍

The algorithm just blessed you

Dev here 👋🏻 i‘ll keep this in mind, thank you

You can tell the effort put into this video was not a small amount. Really good job, made it easy to understand fully

awesome video thanks so much :)

thanks m8, really didnt know about that and found a bug in my backend by that

fantastic video

10:17 nowdays developers are more aware. Even in my studies they teach me how to prevent direct parameter passing with SQL by using placeholder variables instead. This way SQL injection might be prevented. There are countless other methods developers can work around this, it's just an example. It doesn't take away the fact that a lot of old bricks (websites that made the web exist in the end) of the internet still contain a massive amount of errors when these things weren't as clear yet in the time the internet rose up.

i understand this one, thank you bro

nice video man