Server-Side Parameter Pollution (SSPP) Overview
Server-Side Parameter Pollution (SSPP) occurs when an application improperly handles or embeds user input in server-side requests to internal APIs, often without adequate encoding or validation. This vulnerability can lead to various security issues, including parameter manipulation, unauthorized data access, and application behavior modification.
How SSPP Works
- Parameter Injection: An attacker manipulates user input to include additional parameters or modify existing ones.
- Unfiltered Input: The application sends this unfiltered or inadequately sanitized input to an internal API or server-side component.
- Server-Side Processing: The internal API or server-side component processes the manipulated input, potentially leading to unauthorized behavior or access.
Potential Impacts
- Parameter Override: Attackers can overwrite existing parameters, potentially altering the intended behavior of the application or internal API.
- Behavior Modification: By injecting malicious parameters, attackers may change how the application processes data or interacts with the API.
- Unauthorized Data Access: Manipulated parameters may lead to access control bypasses, granting unauthorized access to sensitive data.
Testing for SSPP
When assessing an application for SSPP vulnerabilities, consider the following input types and locations:
- Query Parameters: Test URL query strings for injection opportunities. Example:
http://example.com/api/resource?id=123&extra_param=malicious_value
- Form Fields: Manipulate form inputs to include additional or malicious parameters. Example:
<input name="username" value="attacker&extra_param=malicious_value">
- Headers: Modify HTTP headers to include extra parameters. Example:
X-Custom-Header: value&extra_param=malicious_value
- URL Path Parameters: Inject parameters into URL paths. Example:
http://example.com/api/resource/123/extra_param=malicious_value
Enhanced Testing Techniques
- Truncation and Injection: Test for truncation of query strings and headers, and inject invalid or valid parameters to see how the application processes them.
- Parameter Overriding: Attempt to override existing parameters by injecting duplicate or conflicting parameter names in query strings, form fields, and URL paths.
- Structured Data Formats: Test structured data formats like JSON and XML for parameter pollution. Example for JSON:
{ "user": "attacker", "extra_param": "malicious_value" }