With HTTP Parameter Pollution (HPP) attacks, threat actors can hide scripts and processes in URLs. First discovered in 1999, this technique can also allow threat actors to pollute the parameters in the URL and the request body. This could lead to behavior changes in the app, such as cross-site scripting, privilege changes or granting unwanted access.
HPP remains a risk to watch out for today. Read on to discover how HPP attacks work and how to spot them.
The Impact of HTTP Parameter Pollution
An attacker can use an HPP attack to perform many different unwanted actions. They can override the existing hardcoded HTTP parameters, modify the application behavior and access and exploit the user-uncontrollable variables. HPP attacks also enable people to bypass input validation checks and web application firewall (WAF) rules. It opens up routes to attacks, including cross-site scripting (XSS), structured query language (SQL) injection. HPP attacks can be performed by polluting HTTP GET/POST requests by injecting multiple parameters with the same name holding different values and kept apart by delimiters.
Types of HTTP Parameter Pollution
HPP can be classified into two types: client side or server side. Different web servers behave in different ways when they receive multiple parameters with the same name since ways to parse parameters vary. Client-side or server-side HPP attacks are possible depending on the way requests are handled.
For example, PHP/Apache-based apps use the last occurrence of the parameter, while Jakarta Server Pages (JSP)/Tomcat-based apps use the first. The table below shows how different languages and web servers manage this.
Technology/HTTP back-end
Overall Parsing Result
Example
ASP.NET/IIS
All occurrences of ..
Support the originator by clicking the read the rest link below.
