📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
On this page
  • 📚 What is HPP ?
  • 🤔 Why HPP Happen ?
  • 💥 Exploitation
  • ⚔ Impact
  • 🔎 How To Find
  • ⚙ Remediation
  • 📕 Referance
  1. Vulnerabilities & Techniques
  2. Web Vulnerabilities

HTTP Parameter Pollution (HPP)

PreviousOpen RedirectNextHost Header Injection (HHI)

Last updated 2 years ago

Content

📚 What is HPP ?

🤔 Why HPP Happen ?

💥 Exploitation

⚔ Impact

🔎 How To Find

⚙ Remediation

📕 Referance

📚 What is HPP ?

HTTP Parameter Pollution tests the applications response to receiving multiple HTTP parameters with the same name. For example, if the parameter username is included in the GET or POST parameters twice.

This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value1&param1=value2).

Some taking the first occurance (param1) value1, some taking the last occurance (param1) value2, and some reading it as an array.

🤔 Why HPP Happen ?

The main reason this attack can be realized is because the input is not sanitized properly. HPP injects encoded query string delimiters in existing or other HTTP parameters (i.e. GET/POST/Cookie), which make it feasible to supersede parameter values that already exist to inject a new parameter or exploit variables from direct access. This attack affects all web technologies, whether running client-side or server-side.

💥 Exploitation

Table of Servers & Programming Languages and how to handle HPP

Example of php Language that used the LAST parameter

⚔ Impact

HTTP parameter pollution may be dangerous, depending on the function that the parameters have in the web application. For example, if the attacker can use HPP to confuse a web application, they may delete important records in the database.

🔎 How To Find

Test HPP Manually Try to inject another paramter with the same name to abuse logical flow or broken access control values

⚙ Remediation

In order to prevent these kinds of vulnerabilities, an extensive and proper input validation should be performed. There are safe methods to conform to with each web technology/language. Moreover, awareness about the fact that clients/users can provide more than one parameter should be raised.

📕 Referance

🐞
Imperva
PayloadsAllTheThings
OWASP
Hacktricks
Acunetix
PwnFunction
HPP