Thread: Not only parameter values, but parameter names too

Tweet

Hi all,

Injecting malicious values for different parameters is always what we naturally do. But think about this. Instead of injecting content in values for parameters, we inject content into parameter name !

A less commonly used technique is to attack parameter names. With this technique, the attack strings are inserted into the name of a request parameter, typically into a newly-added parameter name. In various situations, this technique can identify bugs that cannot be found only by manipulating parameter values. Applications often perform some defensive input validation on the values of request parameters, but perform less rigorous or no validation on parameter names. If arbitrary parameter names are subsequently processed in an unsafe manner, then the application is vulnerable, and can be exploited by submitting crafted input within parameter names. I'll describe a couple of examples of this.

Here are the 2 posts which explain in detail >>

PortSwigger Web Security Blog: Attacking parameter names
Regalado (In) Security: Post/Get Parameter's Name Injection