14Şub
What exactly are Hidden HTTP Parameters?
I read a lot of reports where 'hackers' potentially exploited a 'Hidden HTTP Parameter'. There are also tons of tools which are developed for this exact purpose.
Example : https://blog.yeswehack.com/yeswerhackers/parameter-discovery-quick-guide-to-start/
But what do they mean by hidden?
I could think of 2 scenarios:
- The parameter is not visible in the GUI (the browser) but then can easily be viewed by using a proxy such as Burp or Zap, which makes them not so hidden.
- The backend developer mistakenly created a parameter 'xyz', which the hacker 'guessed' (used regex or got lucky) sent a GET or a POST request with that parameter, which then got executed in the backend. But for this to work, 'xyz' would actually have to parse that request, so that the payload gets executed. But why would a developer create a parameter like this in the first place, if it doesn't serve a real purpose.
Or is it an entirely different scenario that I can't think of?
