⚗️Lab: Exploiting server-side parameter pollution in a query string

Loginportswigger.net

To solve the lab, log in as the administrator and delete carlos.

SOLUTIONS

METHOD ONE

• Open Burp Suite and Visit the target URL

• Click on My account

• Click on Forget Password

• View the forgetPassword.js file

• Resend the Forget password link to repeater and add a field as reset_token

%26field=reset_token

• Send the request and copy the URL

• Open the link in the browser

• Enter a new password and confirm it

• Delete the user Carlos

METHOD TWO

1. In Burp's browser, trigger a password reset for the administrator user.

2. In Proxy > HTTP history, notice the POST /forgot-password request and the related /static/js/forgotPassword.js JavaScript file.

3. Right-click the POST /forgot-password request and select Send to Repeater.

4. In the Repeater tab, resend the request to confirm that the response is consistent.

5. Change the value of the username parameter from administrator to an invalid username, such as administratorx. Send the request. Notice that this results in an Invalid username error message.

6. Attempt to add a second parameter-value pair to the server-side request using a URL-encoded & character. For example, add URL-encoded &x=y:

   username=administrator%26x=y

   Send the request. Notice that this returns a Parameter is not supported error message. This suggests that the internal API may have interpreted &x=y as a separate parameter, instead of part of the username.

7. Attempt to truncate the server-side query string using a URL-encoded # character:

   username=administrator%23

   Send the request. Notice that this returns a Field not specified error message. This suggests that the server-side query may include an additional parameter called field, which has been removed by the # character.

8. Add a field parameter with an invalid value to the request. Truncate the query string after the added parameter-value pair. For example, add URL-encoded &field=x#:

   username=administrator%26field=x%23

   Send the request. Notice that this results in an Invalid field error message. This suggests that the server-side application may recognize the injected field parameter.

9. Brute-force the value of the field parameter:

   1. Right-click the POST /forgot-password request and select Send to Intruder.

   2. In the Intruder tab, add a payload position to the value of the field parameter as follows:

      username=administrator%26field=§x§%23

   3. In Intruder > Payloads, click Add from list. Select the built-in Server-side variable names payload list, then start the attack.

   4. Review the results. Notice that the requests with the username and email payloads both return a 200 response.

10. Change the value of the field parameter from x# to email:

    username=administrator%26field=email%23

    Send the request. Notice that this returns the original response. This suggests that email is a valid field type.

11. In Proxy > HTTP history, review the /static/js/forgotPassword.js JavaScript file. Notice the password reset endpoint, which refers to the reset_token parameter:

    /forgot-password?reset_token=${resetToken}

12. In the Repeater tab, change the value of the field parameter from email to reset_token:

    username=administrator%26field=reset_token%23

    Send the request. Notice that this returns a password reset token. Make a note of this.

13. In Burp's browser, enter the password reset endpoint in the address bar. Add your password reset token as the value of the reset_token parameter . For example:

    /forgot-password?reset_token=123456789

14. Set a new password.

15. Log in as the administrator user using your password.

16. Go to the Admin panel and delete carlos to solve the lab.