Blog Details

Posted in: Blog, Posted On: Jun 06, 2017, Posted By: cyberinfoadmin

HTTP Parameter Tampering in DELL Website

Parameter Pollution: HTTP Parameter Pollution, as the name implies, pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application. This hacking technique is considered to be simple, but quite effective. Furthermore, the main reason this attack can be realized is because the input is not sanitized properly. HPP injects encoded query string delimiters in existing or other HTTP parameters (i.e. GET/POST/Cookie), which make it feasible to supersede parameter values that already exist to inject a new parameter or exploit variables from direct access. This attack affects all web technologies, irrespective of the side i.e., client-side or server-side.

Generally, an attacker can use HPP vulnerabilities to:

  • Supersede existing hardcoded HTTP parameters
  • Alter or modify the intended/normal application behaviour
  • Access and potentially exploit variables that are not been controlled properly
  • Bypass WAFs rules or input validation mechanisms

In the DELL website, Parameter tampering is available due to this attack, hacker can view the details of user and they can modify the details of user. Even after reporting to their security team they couldn’t remove the bug!


POC


Here, we can view the details like Username, Phone number, Address, Service tag of laptop.