1

I am pentesting a web application. It makes a backend call to another application, and I am trying to hijack that call.

I have gained control over the URL path, query parameters, and fragment that is being sent (e.g. if the URL is https://internal-app.com/ I can make it https://internal-app.com/whatever-path-I-want?also=queryparameters#andthefragment). But one of the query parameters is added automatically by the application, no matter what I do, and I'm trying to strip that query parameter.

I've discovered that the internal application interprets each byte of a unicode character as its own character (for example, with Ē, U+0112, which has a hex representation in UTF-8 of C4 92, the application interprets each byte separately, and C4 92 becomes Ä’, despite the fact that Ē was sent). I'm trying to exploit this bug to send the fragment symbol, #, without the first application realizing it (because if it realizes it, it adds the query parameter before the fragment).

So I need a unicode character with at least one hex byte of 23 (#=U+0023). But this seems to be impossible, as according to the Wikipedia page for UTF-8, in all characters that have multiple bytes, the bytes start with 10 (and the binary for # is 00100011).

Am I right in thinking that this is impossible? And if so, should I try a different encoding for the URL, or is there another character that I could try exploiting? (I've already tried the null byte, it rejects all requests with a null byte for security reasons.)

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bob
  • 79
  • 7

1 Answers1

1

According to the UTF-8 wikipedia page, you will not be able to send a byte that would be interpreted as a # on its own as part of a larger UTF character. The chart showing the encoding structure verifies this.

Have you tested to see if the query parameter is triggered whenever # appears in the query, or only the first time? You might be able to send enough #'s to get one to appear in the url. I'm assuming that the site is encoding the # itself in the url. It's my understanding that a raw # would cause the subsequent portion of the URL to remain client-side only, no matter where it appears.

jaredad7
  • 173
  • 8
  • Yes, that's my goal. I'm trying to include a hash before the query parameter so that it gets ignored. Fragments are supposed to remain client-side, but even if you do send one to the server, it ignores it, to account for a badly configured client. The query parameter appears no matter what I do. – Bob Aug 05 '21 at 15:28
  • Can you add the query parameter yourself with malformed data? – jaredad7 Aug 05 '21 at 15:36
  • I did try to do that, yes, but it still won't be stripped. (?queryParameter=myData&queryParameter=applicationData, which then gets interpreted as myData,applicationData and that's not helpful). – Bob Aug 05 '21 at 15:38