maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/pentesting-web/deserialization/ruby-_json-pollution.md

21 lines
926 B
Markdown
Raw Blame History

# Ruby _json pollution
{{#include ../../banners/hacktricks-training.md}}
Hii ni muhtasari kutoka kwenye posti [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)
## Basic information
Wakati wa kutuma mwili, baadhi ya thamani zisizoweza kuhashiwa kama array zitaongezwa kwenye ufunguo mpya unaoitwa `_json`. Hata hivyo, inawezekana kwa mshambuliaji pia kuweka katika mwili thamani inayoitwa `_json` yenye thamani za kiholela anazotaka. Kisha, ikiwa backend kwa mfano inakagua ukweli wa parameter lakini pia inatumia parameter `_json` kufanya kitendo fulani, inaweza kufanyika kupita idhini.
```json
{
"id": 123,
"_json": [456, 789]
}
```
## Marejeleo
- [https://nastystereo.com/security/rails-_json-juggling-attack.html](https://nastystereo.com/security/rails-_json-juggling-attack.html)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink