HTTP parameter pollution

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no RFC standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009.[1] HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]


When passed multiple parameters with same name, here is how backend behaves

Technology Parsing result Example
ASP.NET/IIS All occurrences concatenated with a comma param=val1,val2
ASP/IIS All occurrences concatenated with a comma param=val1,val2
PHP/Apache Last occurrence only param=val2
PHP/Zeus Last occurrence only param=val2
JSP, Servlet/Apache Tomcat First occurrence only param=val1
JSP, Servlet/Oracle Application Server First occurrence only param=val1
JSP, Servlet/Jetty First occurrence only param=val1
IBM Lotus Domino Last occurrence only param=val2
IBM HTTP Server First occurrence only param=val1
mod_perl,libapreq2/Apache First occurrence only param=val1
Perl CGI/Apache First occurrence only param=val1
mod_wsgi (Python)/Apache First occurrence only param=val1
Python/Zope All occurrences in list(array) param=['val1','val2']




  • First Order / Reflected HPP[3]
  • Second Order / Stored HPP[3]
  • Third Order / DOM HPP[3]


  • Standard HPP[3]
  • Second Order HPP[3]


Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[4]

See also[edit]


  1. ^ a b "WSTG - Latest:Testing for HTTP Parameter Pollution".
  2. ^ "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
  3. ^ a b c d e Luca Carettoni and Stefano Di Paola. "HTTP Parameter Pollution" (PDF).CS1 maint: uses authors parameter (link)
  4. ^ "How to Detect HTTP Parameter Pollution Attacks".