HTTP parameter pollution

Add links
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Rpyle731 (talk | contribs) at 06:48, 11 August 2020 (stub sort). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

HTTP
Request methods
Header fields
Response status codes
Security access control methods
Security vulnerabilities

HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no RFC standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009. [1].HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]

Behaviour

When passed multiple parameters with same name, here is how backend behaves

Behaviour
Technology Parsing result Example
ASP.NET/IIS All occurrences concatenated with a comma param=val1,val2
ASP/IIS All occurrences concatenated with a comma param=val1,val2
PHP/Apache Last occurence only param=val2
PHP/Zeus Last occurence only param=val2
JSP, Servlet/Apache Tomcat First occurence only param=val1
JSP, Servlet/Oracle Application Server First occurence only param=val1
JSP, Servlet/Jetty First occurence only param=val1
IBM Lotus Domino Last occurrence only param=val2
IBM HTTP Server First occurence only param=val1
mod_perl,libapreq2/Apache First occurence only param=val1
Perl CGI/Apache First occurence only param=val1
mod_wsgi (Python)/Apache First occurence only param=val1
Python/Zope All occurences in list(array) param=['val1','val2']

[1]

Types

Client-side

  • First Order / Reflected HPP[3]
  • Second Order / Stored HPP[3]
  • Third Order / DOM HPP[3]

Server-side

  • Standard HPP[3]
  • Second Order HPP[3]

Prevention

Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[4]

See also

References

  1. ^ a b "WSTG - Latest:Testing for HTTP Parameter Pollution".
  2. ^ "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
  3. ^ a b c d e "HTTP Parameter Pollution" (PDF). {{cite web}}: Cite uses deprecated parameter |authors= (help)
  4. ^ "How to Detect HTTP Parameter Pollution Attacks".


Stub icon

This World Wide Web–related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP_parameter_pollution&oldid=972280305"