HTTP parameter pollution
Appearance
HTTP |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
HTTP Parameter Pollution (HPP) is a
parameters. The vulnerability occurs if user input is not correctly encoded for output by a web application.[1] This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conference OWASP EU09 Poland.[1] The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.[1]
There is no
Behaviour
When they are passed multiple parameters with the same name, here is how various back ends behave.[3]
Technology | Parsing result | Example |
---|---|---|
ASP.NET/IIS | All occurrences concatenated with a comma | param=val1,val2 |
ASP/IIS | All occurrences concatenated with a comma | param=val1,val2 |
PHP/Apache | Last occurrence only | param=val2 |
PHP/Zeus | Last occurrence only | param=val2 |
JSP, Servlet/Apache Tomcat | First occurrence only | param=val1 |
JSP, Servlet/Oracle Application Server | First occurrence only | param=val1 |
JSP, Servlet/Jetty | First occurrence only | param=val1 |
IBM Lotus Domino | Last occurrence only | param=val2 |
IBM HTTP Server | First occurrence only | param=val1 |
mod_perl,libapreq2/Apache | First occurrence only | param=val1 |
Perl CGI/Apache | First occurrence only | param=val1 |
mod_wsgi (Python)/Apache | First occurrence only | param=val1 |
Python/Zope | All occurrences in list(array) | param=['val1','val2'] |
Types
Client-side
Server-side
Prevention
Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[5]
See also
References
- ^ a b c Balduzzi et al. 2011, p. 2.
- ^ "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
- ^ "WSTG - Latest:Testing for HTTP Parameter Pollution".
- ^ a b c d e Luca Carettoni; Stefano Di Paola. "HTTP Parameter Pollution" (PDF).
- ^ "How to Detect HTTP Parameter Pollution Attacks".
Bibliography
- Balduzzi, Marco; Torrano-Gimenez, Carmen; Balzarotti, Davide; Kirda, Engin (2011). Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. Proceedings of the Network and Distributed System Security Symposium, NDSS 2011 – via ResearchGate.