Nir Goldhsanger asked me to share with my audience a nice privilege escalation through parameter pollution he found, allowing the attacker to become administrator of any Blogger blog, which he dutifully reported to Google and deserved him the famous $1337 bug bounty.
I’m quite impressed by the first step of the attack, where the application gets fouled by a double “blogID” parameter: the first gets validated (it actually refers to a blog owned by the attacker) but then the second is actually used to perform the “add authors” action. Looking at the URL, it would seem they use Struts or some other Java-based framework. Since I’m quite rusty with them (these days I mainly use PHP and Ruby on the server side), would anyone attempt a reverse engineering and explain which kind of code could get messed by this? Did they maybe parse their parameters twice, with two different parsers?!