# Exploiting server-side parameter pollution in a query string

## Description

To solve the lab, log in as the `administrator` and delete `carlos`.

## Solution

<figure><img src="/files/SPUA5Xqsp251ydZFx9ir" alt=""><figcaption></figcaption></figure>

In this case we don't know any credential account, so we can try to login with an example of credential like as 'administrator' and 'password'. Of course the credentials are wrong, so we can use the forgot password (`/forgot-password)`function to try to retrieve credentials

<figure><img src="/files/hv5eqn7uw71xAANNpCBk" alt=""><figcaption></figcaption></figure>

Here, we can start the procedure to retrieve 'administrator' credentials, trying others account like as: 'alex' we receive an error regarding account don't found.

<figure><img src="/files/9brj7sCUHrSylciSkzOW" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/pnRc77LXtDiY0TyODO7l" alt=""><figcaption></figcaption></figure>

System send to the administrator's email the code/link to change password, but the first part of email is censured.

Analyzing request with Burp there's an interesting file javascript: /static/js/forgotPassword.js that contain a function to reset token:

<figure><img src="/files/TRzKSRLuToNkqKXA2f1s" alt=""><figcaption></figcaption></figure>

Pass to check `/login` page, and try to check methods allowed via OPTION method:

<figure><img src="/files/39PLMcEzr3UDgDxEiGHk" alt=""><figcaption></figcaption></figure>

the method is not allowed, but permit us to discover that GET and POST methods are allowed.

We can try to insert an username that's not exists (alex) and another one that exists (administrator), seeing a different response:

<figure><img src="/files/2OkDxTs4YkpgsvLpQI8D" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/rJgrb6M7DhzSOwWXAkCE" alt=""><figcaption></figcaption></figure>

So, we can proceed using Burp Intruder fuzzing username parameter and finding that field payload exists:

<figure><img src="/files/LuGsWRrLdTYsYC0cVDpw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/eecy6i00C7XZkbj3Km3v" alt=""><figcaption></figcaption></figure>

Adding field as parameter and his value, we're able to extract username value:

<figure><img src="/files/4ZpisjSPdDFWT1uSVBJc" alt=""><figcaption></figcaption></figure>

While, doing the same for field=password we obtain a 400 status code:

<figure><img src="/files/K9VqhAUsVv6jaWiPW4a8" alt=""><figcaption></figcaption></figure>

Remember the javascript file, there's this interesting path in which is inserted a resetToken value:

<figure><img src="/files/1sqXf9AtJE0i5H60LDt3" alt=""><figcaption></figcaption></figure>

So, doing a POST request in which we assigned reset\_token to field parameter we can extract the relative reset token as response:

<figure><img src="/files/FopIvMqRN7V8N5Ufk2Yu" alt=""><figcaption></figcaption></figure>

and doing GET /forgot-password?reset\_token=y8xhpee8hgln52pc9fbj418fu0nxavev

we can reset correctly the password changing it:

<figure><img src="/files/O8Hcp4dCRXQuHZF20Qqu" alt=""><figcaption></figcaption></figure>

Now we're administrator user and going to Admin panel is possible to delete Carlos user solving the lab.

<figure><img src="/files/6JN1o7oMmLSzE5QJAYSK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/BP1dLMLB9koJ9RxpRHDi" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/api-testing/server-side-parameter-pollution/exploiting-server-side-parameter-pollution-in-a-query-string.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.