️ The Param That Played Me: How HTTP Parameter Pollution Unlocked Admin Secrets ️
1 min read
Summary
The author experienced a security breach when a duplicated query parameter gave them access to the admin panel of their website.
After this experience, they describe the steps they took to perform reconnaissance (or recon) before engaging in a bug bounty hunt.
The author uses a range of tools including Burp Suite, ParamSpider, and ffuf to scan all the endpoints of a target website and look for potential vulnerabilities.
They also describe how they brute-force parameter names using a custom wordlist.
The author recommends focusing on parameters, as the param pollution they experienced led to unauthorized access.
They also advise checking for reflected XSS (cross-site-scripting), as this gives users more than they expect.