HTTP Parameter Pollution is a rather uncommon bug that has been around for a couple of years. HPP is not present in the OWASP top 10, but in 2009 OWASP gave a presentation about the subject.
What is HPP?
“An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.”MITRE
To better help you understand HPP, PwnFunction made a video on different scenarios where HPP can be used.
Some key takeaways:
- See if user input gets reflected in the URL without being URL encoded
- Use HPP as a possible bypass for IDOR, XSS, SQLi, …
Below you can find a table on how the different backends behave on requests with 2 parameters with the same name.
For those who like to read, a white paper about HTTP Parameter Pollution by Marco Balduzzi
The impact of HTTP Parameter Pollution varies depending on the context. It can be used to bypass the WAF or other validations. It can be used for URL rewriting, changing the behavior of the application.
reCAPTCHA bypass via HTTP Parameter Pollution by Andres Riancho
Client side HTTP Parameter Pollution – Yahoo! Classic Mail by Stefano Di Paola
Compromising a user account via HPP by Avinash Jain
How to prevent HPP?
- Make sure that user input is URL-encoded before it is embedded in a URL
- Strict regular expression must be used
- You should be aware on how the backend processes multiple occurences of a parameter
A short FAQ by Stefona Di Paoloa for those who still have questions about HTTP Parameter Pollution.