Parameter Delimiter
Thank you for visiting OWASP.org. We have migrated our community to a new web platform and regretably the content for this page needed to be programmatically ported from its previous wiki page. There’s still some work to be done.
This is an example of a Project or Chapter Page.
Description
This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access control and authorization bypass and information disclosure, among others.
Risk Factors
TBD
Examples
In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language.
This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in “mem.php” file, which is responsible for managing the application user.
An example of the file “mem.php”, where user Jose has admin privileges and Alice user access:
<?
Jose|12345678|jose@attack.com|admin|
Alice|87654321|alice@attack.com|normal|
?>
When a user wants to edit their profile, they must use the “edit account”
option in the index.php
page and enter their login information. However,
using |
as a parameter delimiter on email field followed by admin
,
the user could elevate their privileges to administrator. Example:
Username: Alice
Password: 87654321
Email: [email protected] |admin|
This information will be recorded in mem.php
file like this:
Alice|87654321|[email protected]|admin|normal|
In this case, the last parameter delimiter considered is |admin|
and
the user could elevate their privileges by assigning administrator
profile.
Although this vulnerability doesn’t allow manipulation of other users’ profiles, it allows privilege escalation for application users.
Related Threat Agents
Related Attacks
Related Vulnerabilities
Related Controls
References
- http://cwe.mitre.org/data/definitions/141.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0307
Category:OWASP ASDR Project Category:Injection Category:Attack