< Back





4. Exploiting server-side parameter pollution in a query string

We're asked to delete the user "carlos", but how?! We don't even have login information. Checking
out the "My account" page, we can click "Forgot password?" and it takes us to a /forgot-password
page. Submitting administrator as the username for the forgotten password, we receive a response to
check our email.

Looking deeper at the HTML form, we notice that there's some Javascript handling the form
submission. Looks like it's making a post request with our username to /forgot-password. Adding a
# after the username parameter in the POST request, we receive a 400 Bad Request response, asking
for the "field" parameter.

Looks like the field parameter is being specified by default? When we receive a 200 OK from our
POST to /forgot-password, looks like "type" says "email". Looking at the rest of of Javascript,
seems like "reset_token" is a valid parameter. Injecting "&field=reset_token" to our username
parameter, the backend processes our request and responds with a reset_token for the user.

Using this vulnerability, we reset the administrator's password, login as the administrator, and
delete the user "carlos".


Solution