Exploiting Server-side Parameter Pollution in a Query String
ฝัง
- เผยแพร่เมื่อ 3 ส.ค. 2024
- 👩🎓👨🎓 Learn about API testing (and server-side parameter pollution)! To solve this lab, we'll need to log in as the administrator and delete the user carlos.
If you're struggling with the concepts covered in this lab, please review portswigger.net/web-security/... 🧠
🔗 Portswigger challenge: portswigger.net/web-security/...
🧑💻 Sign up and start hacking right now - go.intigriti.com/register
👾 Join our Discord - go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out swag.intigriti.com
Overview:
0:00 Intro
0:26 Server-side parameter pollution
1:21 Testing for server-side parameter pollution in the query string
1:57 Truncating query strings
3:03 Injecting invalid parameters
3:42 Injecting valid parameters
4:20 Overriding existing parameters
5:24 Lab: Exploiting server-side parameter pollution in a query string
5:37 Explore site functionality
6:18 Analyse javascript
7:03 Probe password reset for parameter pollution
9:19 Brute-force parameter with burp intruder
10:25 Reset administrator password with leaked token
10:53 Conclusion
Thank you for showing everything clearly!
🥰
can u do more analyzing the source code of the vulnerability and try to look it out and fix it
Heyyy, quite often with these labs we don't get access to the source code but at the end of a topic we review the mitigations / defenses. Request noted though! Maybe I can put together some simple code snippets for some examples.
Great video buddy
Thanks mate! 👊
Yo awesome Im doing this now
Nice! 👊
burp suite intruder tab add from list is available in pro version only
The pre-set lists are pro-only but you should be able to import your own wordlist, with one word on each line
@intigriti I don't get why reset_token was added to the field parameter? field=reset_token. Aren't they both parameters? What is the logic behind this?
The "field" is indeed the parameter, but since we saw "email" was a valid value for the field parameter, it makes sense that other form fields on the page would also be accepted ("reset_token" in this case).
it's great video
Thanks! 💜
well the lab solution seems to be way too unrealistic...what was even that?
Which part? Is it not realistic that a company would have an internal API, not accessible through the internet? Or that they might pass some user input to that API? 🤔
@@intigriti yes why would that even be an option? It's no longer about pollution.... It's simply undocumented functionality of the api
Undocumented functionality is the source of many vulnerabilities! You could have an undocumented function with an XSS or SQLi vulnerability, why not one with a parameter pollution vuln? 🙂
@@intigriti lmao u right thx 😔😔