pwneglyph logo

Note

web javascript nodejs parameter-pollution sqlite express logic-bug

Send repeated/array fields so a Node app spreads them into SQLite params, distorting binding order or values.

Parameter Pollution / Array Fields to Break SQLite Bind Logic

Node request parsers often represent repeated fields as arrays. If the SQL layer expects scalars and the app blindly spreads or maps request values into run(...params), binding order or values can be distorted.

Why It Works

  • Array-shaped fields collapse, stringify, or shift parameter positions, changing the SQL write outcome.

Vulnerable Pattern

  • Express-style handlers taking req.body fields directly into SQLite statements without explicit scalar validation and normalization.

Exploit Flow

  1. Compare endpoint behavior with single-valued vs. repeated array-shaped fields.
  2. Determine whether arrays collapse, stringify, or shift parameter positions.
  3. Use the distortion to create a privileged record, bypass uniqueness, or break one-user-per-email logic.

Variations

  • field[], repeated keys, JSON arrays, or mixed form + JSON inputs depending on the parser stack.

Common Blockers

  • Schema validators that coerce arrays to a single string or reject them outright.

PoC Sketch

email[]=admin@example.com&email[]=victim@example.com&username=ADMIN
# compare how the backend binds them into SQLite

Good Situations To Use It

  • An Express app maps req.body straight into parameterized SQLite.
  • No scalar validation/normalization is applied.
  • Binding order affects a uniqueness or identity check.

Sources

  • plfanzen2026/web/thank_you_javascript