1 00:00:07,530 --> 00:00:08,890 - [Narrator] Two of the most common 2 00:00:08,890 --> 00:00:11,100 authorization-based vulnerabilities 3 00:00:11,100 --> 00:00:14,630 are parameter pollution vulnerabilities 4 00:00:14,630 --> 00:00:18,773 and insecure direct object reference vulnerabilities. 5 00:00:19,690 --> 00:00:22,050 Now, latter in the course, you're gonna learn more 6 00:00:22,050 --> 00:00:24,930 about the insecure direct object reference vulnerabilities 7 00:00:24,930 --> 00:00:27,720 So here, I'm gonna concentrate 8 00:00:27,720 --> 00:00:32,647 in the HTTP parameter pollution vulnerabilities or HPP. 9 00:00:34,200 --> 00:00:37,120 Now, HPP vulnerabilities can be introduced 10 00:00:37,120 --> 00:00:42,120 if multiple HTTP parameters have the same name. 11 00:00:42,780 --> 00:00:45,630 This issue may also cause an application 12 00:00:45,630 --> 00:00:48,320 to interpret values incorrectly. 13 00:00:48,320 --> 00:00:50,630 Basically, you, as an attacker, 14 00:00:50,630 --> 00:00:52,480 can take advantage of these vulnerabilities 15 00:00:52,480 --> 00:00:57,230 to bypass input validation, to trigger application errors, 16 00:00:57,230 --> 00:01:01,223 and also to modify internal variable values. 17 00:01:02,260 --> 00:01:04,360 HPP vulnerabilities can definitely lead 18 00:01:04,360 --> 00:01:07,720 to server and client side attacks. 19 00:01:07,720 --> 00:01:10,440 Now, an attacker can actually find HPP vulnerabilities 20 00:01:10,440 --> 00:01:15,440 by finding forms or actions that allow user-supplied input. 21 00:01:15,740 --> 00:01:19,680 Then, the attacker can append the same parameter 22 00:01:19,680 --> 00:01:23,603 to a GET or a POST data, or POST request. 23 00:01:24,470 --> 00:01:26,640 Now, let's take a look at the URL 24 00:01:26,640 --> 00:01:28,040 that I'm showing on the screen. 25 00:01:28,040 --> 00:01:31,830 So, in this case, actually store.h4cker.org. 26 00:01:31,830 --> 00:01:36,490 This URL has a core string called search 27 00:01:36,490 --> 00:01:41,490 and then, it also has a parameter called cars, right? 28 00:01:41,490 --> 00:01:44,280 So, the attacker can actually append 29 00:01:44,280 --> 00:01:47,410 the same parameter with a different value 30 00:01:47,410 --> 00:01:49,550 and then submit the new request. 31 00:01:49,550 --> 00:01:51,940 After that request has actually been submitted 32 00:01:51,940 --> 00:01:53,620 the attacker can actually analyze 33 00:01:53,620 --> 00:01:56,774 the response to identity whether 34 00:01:56,774 --> 00:01:59,060 any of the values actually entered 35 00:01:59,060 --> 00:02:01,540 were parsed by the application. 36 00:02:01,540 --> 00:02:03,210 Sometimes this is actually necessary 37 00:02:03,210 --> 00:02:06,630 to send three, you know, HTP requests 38 00:02:06,630 --> 00:02:09,740 for each parameter or more, so if the response 39 00:02:09,740 --> 00:02:12,080 from the third parameter is different 40 00:02:12,080 --> 00:02:15,314 from the first one or the second one 41 00:02:15,314 --> 00:02:19,520 then this may be an indicator of impedance 42 00:02:19,520 --> 00:02:21,900 or, what we call, impedance mismatch 43 00:02:21,900 --> 00:02:24,010 that could be abused to trigger 44 00:02:24,010 --> 00:02:25,523 these type of vulnerabilities.