HTTP Parameter Pollution and Mass Assignment Attacks

This blog focuses on two important things: the HTTP parameter pollution attack and mass assignment vulnerability. It helps developers to understand the risks that web apps can face and how to make them safer. The blog talks a lot about the need to check and control the information that goes into these apps. By doing this, it stops bad guys from getting in and changing things they shouldn’t. This blog gives helpful advice to make sure web apps are really secure. 

Index

1. HTTP Parameter Pollution
2. Mass Assignment
3. Best Practices
4. Conclusion

 

HTTP Parameter Pollution Attack 

HTTP Parameter Pollution (HPP) is a web application input validation vulnerability that occurs when an attacker appends the extra parameters in an HTTP request making confusing the web application and leading to unexpected behavior. This can potentially result in security issues such as bypassing security controls, accessing unauthorized data, or causing application malfunctions.

Using these characters in the input parameters could potentially perform a parameter pollution attack:

 / ? : @ & = + $ , ;\

Attack Scenario: 

1. A web application that allows users to view their account details after logging in. The application takes a “user_id” parameter in the URL to fetch the user’s data from the server.
2. URL for User Account Information: https://example.com/details?id=100
3. An adversary will duplicate the id parameter and bypass the authorization checks from the server side and gains unauthorized access to view the details of other users’ accounts.\

Request	Response
GET /details? id=100&id=101  HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0	HTTP/1.1 200 OK server:  content-type: application/json cache-control: no-cache, private { “email”:[”yourmail@gmail.com”, ”victim@gmail.com”], “phoneNumber”:[+91-9999999999,+91-8888888888] }

 

Impact:

• HPP can lead to the disclosure of sensitive information if the attacker manipulates parameters to access restricted resources or bypass authentication mechanisms. For example, if an application uses parameters to determine user privileges, an attacker could manipulate these parameters to access unauthorized data.

1. HPP can also chain with other vulnerabilities, such as SQL injection or Cross-Site Scripting (XSS), to create more powerful and dangerous injection attacks.
2. Attackers can use HPP to manipulate application logic and cause unintended actions or transactions, leading to financial loss or other undesired outcomes (https://example.com/transfer_amount?from=1234&to=5678&amount=9999&from=8686)

Mitigation:

• Validate and sanitize all user inputs on the server side. Ensure that only expected and valid characters are accepted.
• Ensure to implement that parameters are processed in the exact order they are received so the server can accurately interpret the intended values and prevent the pollution of parameter values. 
• Maintain a strict whitelist of allowed characters for each parameter to prevent unexpected input.
• Avoid using the same parameter name for different purposes within a single request to prevent parameter pollution.

 

Mass Assignment Vulnerability

Mass assignment is a process of assigning multiple values to object properties in a single operation. Mass assignment occurs due to flaws in the design or implementation of an application’s access control system. when an application allows users to easily update or create objects by automatically binding the data submitted in HTTP requests to the corresponding attributes or properties of the object. It allows unauthorized users to modify sensitive attributes or gain elevated privileges by manipulating the request parameters.

An additional parameter is added by guessing or based on parameters exposed in response. E.g. below.

“isAdmin”: true

“premium”: true

“banned”: false

The application uses the predefined parameter to define the access control of the user and these parameters are directly reflected in the response. Attackers can easily send those manipulated parameters with the request and can bypass the privileges.

Attack Scenario:

1. The web application offers a registration feature through which users can create new accounts. During the registration process, it has been noticed that the response indicates “admin”: false.
2. Due to a lack of input validation and authorization checks implemented, an adversary will add an additional parameter to the request “admin”: true and send the request to the server.
3. By this an attacker can create an administrator account without proper authorization, potentially gaining unauthorized access to sensitive administrative functions and data.

Request	Response
Original Request – POST /signup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: [length] Origin: https://example.com Connection: keep-alive Referer: https://example.com/signup-page {   “username”: “newuser”,   “password”: “secretpassword”, }	Original Response –  HTTP/1.1 201 Created Date: Tue, 10 Aug 2023 00:00:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: [length] Content-Type: application/json; charset=utf-8 Connection: close {   “status”: “success”,   “message”: “Account created successfully.”,   “user_id”: “123456”,   “admin”: false }
Vulnerable Request – POST /signup HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Content-Length: [length] Origin: https://example.com Connection: keep-alive Referer: https://example.com/signup-page {   “username”: “newuser”,   “password”: “secretpassword”,   “admin”: true }	Vulnerable Response –  HTTP/1.1 201 Created Date: Tue, 10 Aug 2023 00:00:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: [length] Content-Type: application/json; charset=utf-8 Connection: close {   “status”: “success”,   “message”: “Account created successfully.”,   “user_id”: “123456”,   “admin”: true }

 

Impact:

• Attackers can manipulate the submitted data to modify or create objects with unauthorized attributes, potentially gaining access to sensitive data or functionality they shouldn’t have.
• By modifying attributes, attackers can elevate their privileges, granting them higher access levels or administrative capabilities.
• If sensitive attributes are negligently mass-assigned, attackers might extract or modify sensitive information that should not be accessible and allow them to modify user profiles, leading to unauthorized account takeovers.

Mitigation:

• Avoid functions that automatically bind a client’s input into code variables or internal objects.
• Use DTO_IN and DTO_OUT to whitelist only the properties that should be updated by the client.
• Blacklist properties that should not be accessed by clients.
• If applicable, explicitly define and enforce schemas for the input data payloads.
• using frameworks or libraries that provide built-in protections against mass assignment vulnerabilities can help mitigate the risk

 

Difference Between HTTP Parameter Pollution Attack and Mass Assignment Vulnerability:

HTTP Parameter Pollution	Mass Assignment
HPP is concerned with manipulating and polluting parameters in HTTP requests to trick the application’s logic or access control mechanisms.	Mass assignment deals with the improper binding of request parameters to object properties, allowing attackers to modify attributes they should not have access to.
In HPP, an adversary will add the same parameter using “&” or other chars. For e.g. id=123&id=101	In MA, an additional parameter is added by guessing or based on parameters exposed in response. E.g. below. “isAdmin”: true “premium”: true “banned”: false

 

In both cases, proper input validation, parameter handling, and access control mechanisms are essential to mitigate the associated security risks. Developers should carefully validate and sanitize user inputs and ensure that only authorized parameters are accepted and processed correctly.

References:

https://owasp.org/www-project-web-security-testing-guide/latest/4 Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution

https://book.hacktricks.xyz/pentesting-web/parameter-pollution

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/20-Testing_for_Mass_Assignment

 

Conclusion:

In conclusion, this write-up has provided an exploration of the HTTP parameter pollution attack and mass assignment vulnerability. By understanding the importance of these security threats and their potential impacts on web applications.

The significance of implementing robust input validation and contextual escaping as fundamental defensive measures against these vulnerabilities has been highlighted. By incorporating these practices into their development processes, developers can reinforce the security of their applications and minimize the risks associated with unauthorized access and data manipulation.