Server Side Parameter Pollution in structured data formats

Here we will discuss the manipulation of parameters in JSON and XML data formats which are used in server-side processing.

Consider we make the following POST request to update our profile

POST /update
name = "vedant"

The server-side request would be

PATCH /users/98121/update
{"name": "vedant"}

Now if we add an access_level parameter to the POST request

POST /update
name = "vedant", "access_level":"administrator"

The server-side PATCH request will be

PATCH /users/98121/update
{"name": "vedant", "access_level":"administrator"}

Now if there is no server-side filtering or sanitisation, then the user vedant can gain administrator access.

Last updated 21 days ago