HTTP Parameter Pollution
also called Parameter tempering.
HTTP Parameter Pollution vulnerability occurs when a website trusts manipulated http request with extra parameters. Learn more about HTTP parameters.
HPP bugs are of two types : Server side and client side HPP.
SERVER SIDE HPP
In server side HPP we send an unexpected information in an attempt to make the server side code return unexpected results. Servers don’t just return a web page but also run some code based on the information they receive from the URL that is sent. This code is only visible to the servers we can not see it.
For example, if a bank makes transactions by accepting URL parameters that were Processed on its server. And we have to enter 3 values to transfer money where to send money, from where to and what amount. The URL would look like this:
https://www.bank.com/transfer?from=12345&to=67890&amount=5000
The bank may be assuming that it is getting one “from” parameter but what if we submit two “from” parameters to the bank’s website. Consider the following URL:-
https://www.bank.com/transfer?from=12345&to=67890&amount=5000&from=ABCDEF
If the server accepted the last from parameters and a success code is returned then, the transfer will occur from ABCDEF to 67890 instead of 12345 to 67890.
NOTE : When a server receives multiple parameters it behaves differently. For ex, a PHP and apache server considers last occurrence, apache tomcat considers first occurrence, ASP and IIS use all occurrences, etc. Look at the following table :
NOTE : there is no specific rule/Method to handling multiple parameter submission with same name and finding HPP vulnerabilities take more experimentation that we need to find how the website we’re testing responses on our requests.
CLIENT SIDE HPP
The client side hpp vulnerability allows attackers to add extra parameters to the URL and generate effects on a user’s end.
Consider an example of a hypothetical server side code:
<? $val=htmlspecialchars($_GET[‘par’],ENT_QUOTES); ?>
<a href=”/page.php?action=view&par=’.<?=$val?>.’”>View Me!</a>
Here the value of ‘par’ depends on the user’s input if the user passes 123%26action=edit as an input what woul be the output then? The value %26 is “&” which acts as a separator and then the value would be passed to href and the server would be tricked.
