HTTP parameter pollution

HTTP Parameter Pollution (HPP) is a

parameters. The vulnerability occurs if user input is not correctly encoded for output by a web application.^[1] This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conference OWASP EU09 Poland.^[1] The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.^[1]

There is no

CSRF protection and WAF input validation checks.^[2]

Behaviour

When they are passed multiple parameters with the same name, here is how various back ends behave.[3]

Behaviour when "param" is passed the values "val1" & "val2"
Technology	Parsing result	Example
ASP.NET/IIS	All occurrences concatenated with a comma	param=val1,val2
ASP/IIS	All occurrences concatenated with a comma	param=val1,val2
PHP/Apache	Last occurrence only	param=val2
PHP/Zeus	Last occurrence only	param=val2
JSP, Servlet/Apache Tomcat	First occurrence only	param=val1
JSP, Servlet/Oracle Application Server	First occurrence only	param=val1
JSP, Servlet/Jetty	First occurrence only	param=val1
IBM Lotus Domino	Last occurrence only	param=val2
IBM HTTP Server	First occurrence only	param=val1
mod_perl,libapreq2/Apache	First occurrence only	param=val1
Perl CGI/Apache	First occurrence only	param=val1
mod_wsgi (Python)/Apache	First occurrence only	param=val1
Python/Zope	All occurrences in list(array)	param=['val1','val2']

Types

Client-side

First Order / Reflected HPP^[4]
Second Order / Stored HPP^[4]
Third Order / DOM HPP^[4]

Server-side

Standard HPP^[4]
Second Order HPP^[4]

Prevention

Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.^[5]

References

^ ^a ^b ^c Balduzzi et al. 2011, p. 2.
^ "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
^ "WSTG - Latest:Testing for HTTP Parameter Pollution".
^ ^a ^b ^c ^d ^e Luca Carettoni; Stefano Di Paola. "HTTP Parameter Pollution" (PDF).
^ "How to Detect HTTP Parameter Pollution Attacks".

Bibliography

Balduzzi, Marco; Torrano-Gimenez, Carmen; Balzarotti, Davide; Kirda, Engin (2011). Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. Proceedings of the Network and Distributed System Security Symposium, NDSS 2011 – via ResearchGate.

This World Wide Web–related article is a stub. You can help Wikipedia by expanding it.

[FOOTNOTEBalduzziTorrano-GimenezCarmenKirda20112-1] Balduzzi et al. 2011, p. 2.

[2] "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.

[owasp_hpp-3] "WSTG - Latest:Testing for HTTP Parameter Pollution".

[owasp_hpp_paper-4] Luca Carettoni; Stefano Di Paola. "HTTP Parameter Pollution" (PDF).

[5] "How to Detect HTTP Parameter Pollution Attacks".

[1]

[2]

[4]

[5]