HTTP Parameter Pollution (HPP)

Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. As HTTP Parameter Pollution (in short HPP) affects a building block of all web technologies, server and client side attacks exist.

Testing for HTTP Parameter pollution (WSTG-INPV-04)

Examples

someurl/page?par1=val1
someurl/page?par1=HPP_TEST1
someurl/page?par1=val1&par1=HPP_TEST1

Bypass ModSecurity, parameter page will be concatenated
/index.aspx?page=select 1&page=2,3

http://127.0.0.1:631/admin/?kerberos=onmouseover=alert(1)&kerberos

CLIENT-SIDE
Similarly to server-side HPP, pollute each HTTP parameter with %26HPP_TEST and look for url-decoded occurrences of the user-supplied payload:
&HPP_TEST
&HPP_TEST
 … and others

In particular, pay attention to responses having HPP vectors within data, src, href attributes or forms actions.

APIs: Server-side parameter pollution in a query string

See Server-side parameter pollution (PortSwigger).

💡 Sometimes called HTTP parameter pollution (HPP). NOT the same as server-side prototype pollution!

Attempt to truncate the server-side query string by adding “#” (%23) at the end. It needs to be URL encoded.

username=administrator%23

{"error": "Field not specified."}

This suggests that the server-side query may include an additional parameter called “field”, which has been removed by the “#” character.

Add a parameter to the request with “&” (%26). It needs to be URL encoded.

username=administrator%26param=whatever

{"error": "Parameter is not supported."}

This suggests that the internal API may have interpreted “&param=whatever” as a separate parameter, instead of part of the username.

Default Behavior

Given the URL and querystring: http://domain.com/?color=red&color=blue

Language / Web Application Server	Behavior
ASP.NET / IIS	All occurrences concatenated with a comma color=red,blue
PHP / Apache PHP / Zeus IBM Lotus Domino	Last occurrence only color=blue
JSP, Servlet / Apache Tomcat JSP, Servlet / Oracle Application Server 10g JSP, Servlet / Jetty IBM HTTP Server mod_perl, libapreq2 / Apache Perl CGI / Apache mod_wsgi (Python) / Apache	First occurrence only color=red
Python / Zope	All occurrences in List data type color=[‘red’,’blue’]