HTTP Parameter Pollution (HPP) is a form of injection attack in which a target system takes many parameters with the same name and processes them in an unsecured or unexpected manner. This sort of flaw can be identified on both the server and client sides.
HPP evaluates an application’s reaction to receiving numerous HTTP parameters with the same name, such as if the parameter username is included in the GET or POST parameters twice.
When numerous parameters with the same name are submitted to a server, they are handled differently by different languages and frameworks. This is due to the fact that there is no standard method for receiving multiple arguments with the same name.
The table below shows how web technologies respond when numerous occurrences of the same HTTP parameter are present.
Given the URL and query string, perform the following:
http://example.com/?color=red&color=blue
| Web Application Server Backend | Parsing Result | Example |
|---|---|---|
| ASP ASP.NET / IIS | All occurrences concatenated with a comma | color=red,blue |
| PHP / Apache | Last occurrence only | color=blue |
| JSP, Servlet / Oracle Application Server 10g | First occurrence only | color=red |
| IBM Lotus Domino | Last occurrence only | color=blue |
| IBM HTTP Server | First occurrence only | color=red |
| Python / Zope | All occurrences in List data type | color=[‘red’,’blue’] |
NB: Unusual behavior is a common cause of security flaws.
This, in and of itself, is not a sign of vulnerability. However, if the developer is unaware of the issue, the inclusion of repeated parameters may cause abnormal behavior in the program that an attacker might possibly exploit.
Consider the following scenario in which a banking application delivers a request.
insecure-bank/transfer.php?from=ac1&to=ac2&value=100
If we alter the preceding to
insecure-bank/transfer.php?from=ac1&to=ac2&value=100&to=attackers-ac
When the bank executes the request, the money is routed to the attacker’s account rather than to ac2.
The share buttons on most websites are another source of HTTP parameter pollution. When we click the Facebook share button, we send a request that looks like
https://www.facebook.com/sharer/sharer.php?u=example.html
The URL of the page we wish to share is specified by “u” argument. If we replace the original URL with
https://example.html?&u=https://fsec404.github.io
If the website does not sanitize the URL before clicking the Facebook share button, the following request will be made to Facebook.
https://www.facebook.com/sharer/sharer.php?u=example.html&u=https://fsec404.github.io
Because Facebook’s web servers utilize the most recent value of a parameter, fsec404.github.io is shared instead of example.html.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.