Skip to content

Parameter Exploits

Parameter Exploits

Parameter Pollution

https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89

  • Parameters can be separated by “&” or “;”
?q=test&q=param
?q=test;q=param

ASP Net

As mentioned, ASP and ASP.NET concatenate the values with a comma in between

POST /index.aspx?par=1&par=2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Cookie: par=5; par=6
Content-Length: 19
par=3&par=4

Request.Params[“par”]
par = 1,2,3,4,5,6

Java

getParameter vs getParameterValues

Mass Assignment

All paramaters are written to the database rather than just the specified ones. This can allow an attacker to overwrite the varabales with

ASP.NET MVC

https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html#asp-net

Rails

https://guides.rubyonrails.org/security.html