Note: In this blog the website will be considered as instead of the original website. The entire parameter name in the application will be written as “Param” and the values will be either in asterisk “*” or some gibberish hand typed. All the values are hand typed to prevent the client’s details.

In this blog I will discuss how I was able to bypass the validation for login of untrusted and the user which is not present in the database/application and ended up creating new user without the any maker checker rule or admin intervention, so let’s get started-

As, discussed in the previous blog I have successfully performed HPP attack on the user and now let’s see how I turned it into XSS via HPP.

What is XSS?

Cross Site Scripting (XSS) allows clients to inject scripts into a request and have the server return the script to the client in the response. This occurs because the application is taking untrusted data (in this example, from the client) and reusing it without performing any validation or sanitization.

If the injected script is returned immediately this is known as reflected XSS. If the injected script is stored by the…

Note: — This blog is divided into two part where part-I will about how I figured out that the application is vulnerable to HTTP Parameter Pollution and in part II how I converted it into stored XSS. Client name some details related to that will not be shared.

What is HTTP Parameter Pollution?

It is the type of web attack in which the attacker is allowed to craft a request in which he can manipulate or retrieve the hidden information. This attack can be performed by splitting attack scenario between multiple instances of the parameter with same name.


NOTE: In below scenario I will be considering myself as an attacker and will explain accordingly. Consider user1 is mapped on attacker’s mobile number and user2 is mapped on victim’s mobile number.

In this blog I will be talking about the mobile application which I was testing for the client (Cannot reveal the client’s name or application name). It is a mobile application in which user has to verify himself/herself as a legit user and after the successful verification of the user he/she have to activate his/her customer ID, everything has to be done on the user’s device itself. The…

Amey Muley

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store