Get Mystery Box with random crypto!

Found a hidden HTTP param? Look deeper, maybe there is a mass | Hack3rScr0lls

Found a hidden HTTP param? Look deeper, maybe there is a mass assignment/autobinding vulnerability.

This issue occurs when a web app automatically binds HTTP parameters to object fields of the same name without filtering fields that should not be assigned.

User class has fields: email, password, role. At sign-up, the browser sends only email and password. The web app binds parameters to a user object and sets role to default ‘user’.

If you send the role=admin, the web app will assign it to the role field bypassing the default value. (params and code examples are shown in the picture)

How to find:
> Identify the framework (affected: RoR, ASP.NET, Spring and other)
> Use Param Miner to find hidden params
> Make a custom dictionary with the site content (HTML and JS)

Sometimes changes in objects are hidden too and you need to closely explore the app.

Source

#Web #Hidden #Parameters
Next Message
telegram-store.com © 2016-2024
Non official site about Telegram
All rights reserved. Copying and using of full materials is prohibited, partial quoting is possible only with a hyperlink to the site telegram-store.com.