Introduction to API Testing — Server-Side Parameter Pollution

Some web applications have internal APIs shielded from direct internet access. However, if user input is inadequately encoded in server-side requests to these APIs, a vulnerability arises. This is precisely where server-side parameter pollution comes into play, allowing attackers to inject or manipulate parameters and gain unauthorized advantages.To assess a system’s vulnerability to SSPP, testers can focus on various input sources, such as query parameters, form fields, headers, and URL path parameters. For instance, testing in the query string involves inserting query syntax characters like #, &, and = into the input and observing the application’s response.Consider a vulnerable application that enables you to search for other users based on their username. When you search for a user, your browser makes the following request: GET /userSearch?name=peter&back=/homeTo retrieve user information, the server queries an internal API with the following request: GET /users/search?name=peter&publicProfile=trueA potential attack scenario involves attempting to truncate server-side requests using a URL-encoded # character. By modifying the query string, testers can evaluate whether the server-side request has been truncated and if publicProfile field requirements can be bypassed to access non-public user profiles.For example, you could modify the query string to the following: GET /userSearch?name=peter%23foo&back=/homeThe front-end will try to access the following URL: GET /users/search?name=peter#foo&publicProfile=true

Injecting invalid parameter

Attackers can use URL-encoded & characters to inject invalid parameters or add second valid parameters to server-side requests. By reviewing the application’s response, testers gain insights into how additional parameters are parsed and processed, uncovering potential vulnerabilities that can be…