HTTP Parameter Pollution Vulnerability
This blog is about how I was able to found “HTTP Parameter pollution” issue on one of government website. This issue was reported and now they have been fixed it.
So, what is “HTTP Parameter pollution”?
HTTP Parameter Pollution can be classified in two categories — client-side or server-side. Each technology is parsing parameters differently, thus different attacks can be realized. This, depending on the way it is being triggered, enables client-side or server-side attacks. Moreover, in each case the parameters are manipulated accordingly to perform hacking activities at the front-end (client) or the back-end (server) of the web application.
HTTP Parameter Pollution tests the applications response to receiving multiple HTTP parameters with the same name; for example, if the parameter username is included in the GET or POST parameters twice.
Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. As HTTP Parameter Pollution affects a building block of all web technologies, server and client-side attacks exist.
How I was able to found this issue?
There was forgot password functionality on login page. I clicked on it, it was asking for user email ID to send confirmation link of change password. So I initially tamper the request and added duplicate parameter of email ID with other that is attacker’s email address. When I forward the request, email received on attacker’s mail ID and then I was able to change user’s password and successfully login to the user’s account using new password. As password change confirmation link received on attacker’s mail ID attacker can successfully change user’s password and login to the victim’s account.
What will be Remediation?
In order to prevent these kinds of vulnerabilities, an extensive and proper input validation should be performed. There are safe methods to confirm to with each web technology/language. Moreover, awareness about the fact that clients/users can provide more than one parameter should be raised.
References:
2. https://portswigger.net/kb/issues/00501401_client-side-http-parameter-pollution-stored
