search

HTTP Parameter Pollution

circle-exclamation

Before you start, it is very recommended to have basics of HTTP query/form parameters and duplicate parameter handling, how web frameworks and proxies merge or parse repeated keys, and server-side input validation/parameter binding. This part may seem long, and its sections are built to be sequentially starting from the beginner level up to some advanced stuff, feel free to navigate to whatever topic you want. hack fun :)

hashtag
Understanding HTTP Parameter Pollution (HPP)

hashtag
What is HTTP Parameter Pollution?

HTTP Parameter Pollution (HPP) is a vulnerability that occurs when web applications accept and process multiple HTTP parameters with the same name in unexpected ways. Different technologies (web servers, application frameworks, WAFs) may handle duplicate parameters differently, leading to security bypasses, authentication issues, and application logic flaws.

hashtag
Vulnerable Scenario Example

GET /search?category=books&category=electronics&price=100 HTTP/1.1
Host: example.com

Different Technology Handling:

  • PHP: Takes the last value β†’ category=electronics

  • ASP.NET: Takes the first value β†’ category=books

  • Python Flask: Creates an array β†’ category=['books', 'electronics']

  • Java Servlet: Takes the first value β†’ category=books

  • Node.js: Takes the last value β†’ category=electronics

hashtag
How HPP Works

HPP exploits the inconsistent handling of duplicate HTTP parameters across different technologies in the application stack. When multiple components process the same HTTP request differently, attackers can craft requests that bypass security controls or alter application logic.

hashtag
Parameter Processing Flow

  1. Client Request - Sends HTTP request with duplicate parameters

  2. Load Balancer/WAF - May process parameters one way

  3. Web Server - May process parameters differently

  4. Application Framework - May have different processing logic

  5. Backend Logic - Receives processed parameters

hashtag
Impact and Consequences

  • Authentication Bypass - Bypassing login mechanisms

  • Authorization Bypass - Accessing restricted resources

  • Input Validation Bypass - Circumventing security filters

  • Logic Flaw Exploitation - Manipulating business logic

  • WAF/IDS Evasion - Bypassing security controls

  • Cache Poisoning - Polluting cache with malicious content

hashtag
Technology-Specific Parameter Handling

hashtag
Web Server Behavior

Apache HTTP Server:

  • Default: Concatenates parameters with &

  • Example: param=value1&param=value2 β†’ param=value1&value2

  • mod_rewrite: May behave differently based on configuration

Nginx:

  • Default: Takes the last parameter value

  • Example: param=value1&param=value2 β†’ param=value2

  • Can be configured to handle differently

IIS (Internet Information Services):

  • Default: Concatenates parameters with ,

  • Example: param=value1&param=value2 β†’ param=value1,value2

hashtag
Application Framework Behavior

PHP:

ASP.NET:

Java Servlet:

Python Flask:

Node.js (Express):

Ruby on Rails:

hashtag
Basic HPP Attack Techniques

hashtag
Authentication Bypass

hashtag
Login Form Parameter Pollution

Basic Authentication Bypass:

Scenario Analysis:

  • WAF/Security Filter: Sees username=admin&password=wrong β†’ Allows (wrong password)

  • Application Backend: Processes username=guest&password=guest β†’ Authenticates successfully

Advanced Login Bypass:

Real-World Example:

hashtag
Multi-Factor Authentication Bypass

2FA Token Pollution:

SMS Code Bypass:

hashtag
Authorization Bypass

hashtag
Role-Based Access Control Bypass

Admin Role Escalation:

Permission Override:

hashtag
Resource Access Control Bypass

File Access Control:

Database Record Access:

hashtag
Input Validation Bypass

hashtag
WAF/Security Filter Evasion

SQL Injection Filter Bypass:

WAF Processing:

  • First parameter: query=legitimate β†’ Passes validation

  • Application receives: query=' OR '1'='1 β†’ SQL injection executes

XSS Filter Bypass:

Command Injection Bypass:

hashtag
Content Security Policy Bypass

CSP Header Manipulation:

CORS Policy Bypass:

hashtag
Advanced HPP Exploitation

hashtag
Business Logic Manipulation

hashtag
E-commerce Price Manipulation

Shopping Cart Manipulation:

Discount Code Stacking:

Payment Amount Manipulation:

hashtag
User Profile Manipulation

Email Address Pollution:

Permission Escalation:

hashtag
Cache Poisoning via HPP

hashtag
Web Cache Deception

Cache Key Manipulation:

CDN Cache Poisoning:

hashtag
Cache Poisoning Attack Chain

Step 1: Poison Cache

Step 2: Victim Request

Result: Victim receives cached malicious response

hashtag
Load Balancer and Reverse Proxy Exploitation

hashtag
Backend Server Manipulation

Server Selection Bypass:

Load Balancer Routing:

hashtag
Request Smuggling via HPP

HTTP Request Smuggling:

hashtag
Framework-Specific HPP Vulnerabilities

hashtag
PHP Applications

hashtag
PHP Parameter Processing Quirks

Array vs String Confusion:

PHP Session Manipulation:

PHP Configuration Bypass:

hashtag
WordPress HPP Vulnerabilities

WordPress Parameter Pollution:

Plugin Parameter Pollution:

hashtag
ASP.NET Applications

hashtag
ViewState Manipulation

ViewState Parameter Pollution:

Control State Manipulation:

hashtag
ASP.NET Core HPP

Model Binding Confusion:

Route Parameter Pollution:

hashtag
Java Web Applications

hashtag
Java Servlet Parameter Handling

Spring Framework HPP:

Struts Action Parameter Pollution:

hashtag
JSP Parameter Processing

JSP Request Parameter Pollution:

hashtag
Node.js Applications

hashtag
Express.js Parameter Handling

Query Parser Configuration:

Custom Middleware Pollution:

hashtag
Fastify Parameter Handling

Fastify Schema Bypass:

hashtag
HTTP Method-Specific HPP

hashtag
GET Parameter Pollution

hashtag
URL Query String Manipulation

Basic GET HPP:

URL Fragment Pollution:

Mixed GET Parameters:

hashtag
POST Parameter Pollution

hashtag
Form Data Manipulation

application/x-www-form-urlencoded:

multipart/form-data:

hashtag
JSON Parameter Pollution

JSON Body Manipulation:

JSON Array Pollution:

hashtag
HTTP Header Pollution

hashtag
Custom Header Manipulation

X-Forwarded-For Pollution:

Authorization Header Pollution:

Custom Application Headers:

hashtag
Advanced Attack Scenarios

hashtag
Multi-Stage HPP Attacks

hashtag
HPP + CSRF Attack Chain

Stage 1: CSRF Token Bypass

Stage 2: Session Fixation

hashtag
HPP + SQL Injection Chain

WAF Bypass + SQL Injection:

Parameter Smuggling:

hashtag
Microservices Architecture HPP

hashtag
Service Mesh Parameter Pollution

Inter-Service Communication:

API Gateway Bypass:

hashtag
Container Orchestration HPP

Kubernetes Service Discovery:

Docker Swarm Service Routing:

PreviousTemplate injection (SSTI - Server-Side Template Injection)NextHTTP Request Smuggling

Last updated

Was this helpful?