Link to this headingParameter Exploits

Link to this headingParameter Pollution

https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89

  • Parameters can be separated by “&” or “;”
?q=test&q=param ?q=test;q=param

Link to this headingASP Net

As mentioned, ASP and ASP.NET concatenate the values with a comma in between

POST /index.aspx?par=1&par=2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Cookie: par=5; par=6 Content-Length: 19 par=3&par=4
Request.Params[par] par = 1,2,3,4,5,6

Link to this headingJava

getParameter vs getParameterValues

Link to this headingMass Assignment

All parameters are written to the database rather than just the specified ones. This can allow an attacker to overwrite the variables with

Link to this headingASP.NET MVC

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html#asp-net

Link to this headingRails

https://guides.rubyonrails.org/security.html