Server Side Parameter Pollution in REST paths

Consider there is an endpoint where requests are sent to edit profiles

GET /edit.php?username=vedant

The request leads to the following server-side request

GET /api/user/vedant

Now if we can manipulate the request to do path traversal as follows.

GET /edit.php?username=vedant%2f..%2fadmin

The above is the URL encoded format of vedant/../admin

The server-side request of the same will be

GET /api/user/vedant/../admin

If the API in the backend normalizes the path then it will be GET /api/user/admin

This way, we can exploit the endpoints in APIs if there are no server-side safeguards deployed.

Last updated 23 days ago