Difference between revisions of "Parameter Delimiter"

Jump to: navigation, search
(Related Threat Agents)
Line 44: Line 44:
==Related [[Attacks]]==
==Related [[Attacks]]==
[[:Category:Injection Attack]]
* [[:Category:Injection Attack]]
==Related [[Vulnerabilities]]==
==Related [[Vulnerabilities]]==
[[:Category: Input Validation Vulnerability]]
* [[:Category: Input Validation Vulnerability]]
==Related [[Controls]]==
==Related [[Controls]]==
[[:Category: Input Validation Vulnerability]]
* [[:Category: Input Validation Vulnerability]]

Revision as of 17:52, 13 September 2008

This is an Attack. To view all attacks, please see the Attack Category page.

ASDR Table of Contents


This attack is based on manipulation of parameters delimiter used by web application input vectors, in order to cause unexpected behaviors like access control and authorization bypass, information disclosure, among others.

Risk Factors



In order to illustrate this vulnerability, it’ll be used a vulnerability found on Poster V2, a posting system based on PHP programming language.

This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in “mem.php” file, which is responsible for managing application user.

An example of the file “mem.php”, where user Jose has admin privileges and Alice user access:


When a user wants to edit his profile, he must use edit account” option in the “index.php” page and enter his login information. However, using “|” as a parameter delimiter on email field followed by “admin”, the user could elevate his privileges to administrator. Example:

Username: Alice
Password: 87654321
Email: alice@attack.com |admin| 

This information will be recorded in “mem.php” file like this:


In this case, the last parameter delimiter considered is “|admin|” and the user could elevate his privileges by assigning administrator profile.

Although this vulnerability doesn’t allow manipulation of others user profiles, it allows privilege escalation for application users.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls