HTTP Parameter Pollution is a rather uncommon bug that has been around for a couple of years. HPP is not present in the OWASP top 10, but in 2009 OWASP gave a presentation about the subject.

What is HPP?

“An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.”

MITRE

To better help you understand HPP, PwnFunction made a video on different scenarios where HPP can be used.


Some key takeaways:

  • See if user input gets reflected in the URL without being URL encoded
  • Use HPP as a possible bypass for IDOR, XSS, SQLi, …

Below you can find a table on how the different backends behave on requests with 2 parameters with the same name.

Source: https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)

Presentation by OWASP about HTTP Parameter Pollution

For those who like to read, a white paper about HTTP Parameter Pollution by Marco Balduzzi

Impact

The impact of HTTP Parameter Pollution varies depending on the context. It can be used to bypass the WAF or other validations. It can be used for URL rewriting, changing the behavior of the application.

reCAPTCHA bypass via HTTP Parameter Pollution by Andres Riancho

Client side HTTP Parameter Pollution – Yahoo! Classic Mail by Stefano Di Paola

Bypassing Digits web authentication’s host validation with HPP on Twitter by filedescriptor

Compromising a user account via HPP by Avinash Jain

How to prevent HPP?

  • Make sure that user input is URL-encoded before it is embedded in a URL
  • Strict regular expression must be used
  • You should be aware on how the backend processes multiple occurences of a parameter

A short FAQ by Stefona Di Paoloa for those who still have questions about HTTP Parameter Pollution.

Want more?

Follow us on twitter and don’t forget to subscribe to our weekly Bug Bytes, a newsletter curated by Pentester Land & powered by intigriti containing more write-ups and helpful resources.