08-09-2012, 06:24 PM #1
- Join Date
- Sep 2010
- Blog Entries
- Thanked 144 Times in 83 Posts
Not only parameter values, but parameter names too
Injecting malicious values for different parameters is always what we naturally do. But think about this. Instead of injecting content in values for parameters, we inject content into parameter name !
A less commonly used technique is to attack parameter names. With this technique, the attack strings are inserted into the name of a request parameter, typically into a newly-added parameter name. In various situations, this technique can identify bugs that cannot be found only by manipulating parameter values. Applications often perform some defensive input validation on the values of request parameters, but perform less rigorous or no validation on parameter names. If arbitrary parameter names are subsequently processed in an unsafe manner, then the application is vulnerable, and can be exploited by submitting crafted input within parameter names. I'll describe a couple of examples of this.
PortSwigger Web Security Blog: Attacking parameter names
Regalado (In) Security: Post/Get Parameter's Name InjectionIn the world of 0s and 1s, are you a zero or The One !