HTTP parameter pollution

HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no RFC standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009.[1] HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]

HTTP
Request methods
Header fields
Status codes
Security access control methods
Security vulnerabilities

Behaviour

When passed multiple parameters with same name, here is how backend behaves

Behaviour
TechnologyParsing resultExample
ASP.NET/IISAll occurrences concatenated with a commaparam=val1,val2
ASP/IISAll occurrences concatenated with a commaparam=val1,val2
PHP/ApacheLast occurrence onlyparam=val2
PHP/ZeusLast occurrence onlyparam=val2
JSP, Servlet/Apache TomcatFirst occurrence onlyparam=val1
JSP, Servlet/Oracle Application ServerFirst occurrence onlyparam=val1
JSP, Servlet/JettyFirst occurrence onlyparam=val1
IBM Lotus DominoLast occurrence onlyparam=val2
IBM HTTP ServerFirst occurrence onlyparam=val1
mod_perl,libapreq2/ApacheFirst occurrence onlyparam=val1
Perl CGI/ApacheFirst occurrence onlyparam=val1
mod_wsgi (Python)/ApacheFirst occurrence onlyparam=val1
Python/ZopeAll occurrences in list(array)param=['val1','val2']

[1]

Types

Client-side
  • First Order / Reflected HPP[3]
  • Second Order / Stored HPP[3]
  • Third Order / DOM HPP[3]

Server-side
  • Standard HPP[3]
  • Second Order HPP[3]

Prevention

Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[4]

See also

References
  1. "WSTG - Latest:Testing for HTTP Parameter Pollution".
  2. "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
  3. Luca Carettoni and Stefano Di Paola. "HTTP Parameter Pollution" (PDF).CS1 maint: uses authors parameter (link)
  4. "How to Detect HTTP Parameter Pollution Attacks".


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.