Vulnerability Data Validation; Parameter Delimiter Description:
For almost all levels I will be using Burpsuite. Burpsuite is an interception proxy that lets us modify the HTTP request / response by intercepting the data between the browser and the web server.
Let’s first create a user account to test the functionality. Again, have Burp running so we can see the HTTP request.
When creating an account the HTTP request looks like this:
Login using the user we created, we can see that the role is ‘normal’, we need to change it to admin.
We can use Burp’s Repeater to efficiently experiment with different parameters and values. Find the Registration request under the Proxy tab -> HTTP History, right click and select ‘Send to Repeater’.
After a while experimenting I noticed that adding a newline character would change the order of parameters.
Registration HTTP request:
The newline character is url encoded ‘%0d%0a’ in the password parameter. When I login, Account Details displays the following:
This means that we have shifted the order of the account’s attributes so, if we do our insertion after the lname parameter, we should be able to inject the role attribute in the right spot.
And… Level 3 complete.