Sometimes there are internal APIs that are not openly accessible from the internet. These APIs can be exploited if the target takes input from the user without proper encoding or sanitization and sends it as a server-side request to the API. This means that an attacker may be able to manipulate or inject a parameter.
Example
Consider a social media platform like Instagram. It has a Search page where you can look for people's profiles and view them, but the catch is that you can only view profiles that the users have set to public.
When we search a name on the platform, the following GET request is made.
GET /user?name=vedant
The server then sends another request to the internal API requesting user information.
GET /profile/search?name=vedant&public=True
So here the parameter public with the value True is sent to check if the searched user's profile is public or not. If it's not public then no data will be fetched.
But what if we want to view private profiles? We can do so by bypassing the public=True check.
Truncating query strings
We can use the symbol # to truncate the query string. Using # solely will most probably won't work hence we can use an URL encoded form of the same.
The URL encoded form of # is %23 . If we use it with the name as follows:
GET /user?name=vedant%23
Then the following server-side request will be sent.
GET /profile/search?name=vedant#&public=True
Here if the server processes the encoded character, then the public=True statement is truncated and you can view private profiles too now.
Injecting more parameters
You can use encoded form of & to inject valid and invalid parameters.
