Parameter Addition

Overview Parameter addition may occur if the user submits a new parameter the site was not expecting to see. The site will generally not validate parameters that are unexpected. The classic case is sites outputting all parameters regardless of whether the site uses the parameter. The developer may dump all parameters and their values regardless of whether the parameters was expected. Many times this dump will be into an HTML comment so the user will not see the diagnostic output in the browser. Discovery Methodology Inject a new parameter that is not normally submitted by the application with a searchable string such as the word "CANARY" along with characters generally useful in writing HTML, JavaScript or other code. Search the response carefully noting any location where the test string appears unencoded. These locations may allow cross-site scripting. Exploitation Determine the prefix and suffix needed to make the injected code "fit" syntatically then add a payload between. Inject the exploit. Videos Click here to watch Introduction to Parameter Addition