HTTP parameter pollution
HTTP |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no RFC standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009. [1].HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]
Behaviour
When passed multiple parameters with same name, here is how backend behaves
Technology | Parsing result | Example |
---|---|---|
ASP.NET/IIS | All occurrences concatenated with a comma | param=val1,val2 |
ASP/IIS | All occurrences concatenated with a comma | param=val1,val2 |
PHP/Apache | Last occurence only | param=val2 |
PHP/Zeus | Last occurence only | param=val2 |
JSP, Servlet/Apache Tomcat | First occurence only | param=val1 |
JSP, Servlet/Oracle Application Server | First occurence only | param=val1 |
JSP, Servlet/Jetty | First occurence only | param=val1 |
IBM Lotus Domino | Last occurrence only | param=val2 |
IBM HTTP Server | First occurence only | param=val1 |
mod_perl,libapreq2/Apache | First occurence only | param=val1 |
Perl CGI/Apache | First occurence only | param=val1 |
mod_wsgi (Python)/Apache | First occurence only | param=val1 |
Python/Zope | All occurences in list(array) | param=['val1','val2'] |
Types
Client-side
Server-side
Prevention
Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[4]
See also
References
- ^ a b "WSTG - Latest:Testing for HTTP Parameter Pollution".
- ^ "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
- ^ a b c d e "HTTP Parameter Pollution" (PDF).
{{cite web}}
: Cite uses deprecated parameter|authors=
(help) - ^ "How to Detect HTTP Parameter Pollution Attacks".