I m going to unveil a new technique developed by me to hack webapps and sites.Internal Parameter PoisoningYou might’ve heard about HPP-injection technique in web apps and websites.Now i m presenting a technique which can be subcategorized under the tree of HPP injection, The “IPP – Injection”.IPP stands for “Internal Parameter Poisoning” and is helpful in penetration testing.
The IPP injection employs the HPP injection technique and the variable name-value pair is directly injected into webserver using GET or POST requests.The aftermath of the injection depends upon the use and implementation of the application’s variable under attack.
Suppose, anyhow i know any of variable’s name internalVar.Then, i can inject this variable for example in URL:
Now let us proceed with a live example from Pentagon:
But, how to know the names of internal variables:
Well, we can either do know them either by brute forcing/hit-and-trial or by causing the errors and exceptions in webapp.
For example in above site, when in specify a wrong value to the parameter
change it to :
Open following URL:
It returned the error:
Variable SUB_HEAD_TEXT is undefined
(Well above example is specially chosen for the sake of simplicity, otherwise, u may get even more robust errors revealing some source code or line of the code that caused the problem, from there try to harvest the variable names)
So what are we now waiting, now Let us inject this variable in URL and specify it any value.
Test revealed that this variable is being used in returned page formation
A complete hijack of application’s logic is possible, if the variable value is used as an executing script or database query, though this will depend upon the way variables are initialized and implemented in webapp.