Exploiting Server-side Parameter Pollution in a Query String
👩🎓👨🎓 Learn about API testing (and server-side parameter pollution)! To solve this lab, we'll need to log in as the administrator and delete the user carlos.
If you're struggling with the concepts covered in this lab, please review https://portswigger.net/web-security/... 🧠
🔗 Portswigger challenge: https://portswigger.net/web-security/...
🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register
👾 Join our Discord - https://go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com
Overview:
0:00 Intro
0:26 Server-side parameter pollution
1:21 Testing for server-side parameter pollution in the query string
1:57 Truncating query strings
3:03 Injecting invalid parameters
3:42 Injecting valid parameters
4:20 Overriding existing parameters
5:24 Lab: Exploiting server-side parameter pollution in a query string
5:37 Explore site functionality
6:18 Analyse javascript
7:03 Probe password reset for parameter pollution
9:19 Brute-force parameter with burp intruder
10:25 Reset administrator password with leaked token
10:53 Conclusion
![Decoding Spotify Barcodes - Defcon 32 Coin Challenge Solution [2024]](https://images.mixrolikus.cc/video/RpXbtmUGyXs)
