Found a hidden HTTP param? Look deeper, maybe there is a mass | Hack3rScr0lls
Found a hidden HTTP param? Look deeper, maybe there is a mass assignment/autobinding vulnerability.
This issue occurs when a web app automatically binds HTTP parameters to object fields of the same name without filtering fields that should not be assigned.
User class has fields: email, password, role. At sign-up, the browser sends only email and password. The web app binds parameters to a user object and sets role to default ‘user’.
If you send the role=admin, the web app will assign it to the role field bypassing the default value. (params and code examples are shown in the picture)
How to find:
> Identify the framework (affected: RoR, ASP.NET, Spring and other)
> Use Param Miner to find hidden params
> Make a custom dictionary with the site content (HTML and JS)
Sometimes changes in objects are hidden too and you need to closely explore the app.
Source
#Web #Hidden #Parameters