Dark Mode

Settings

Capec-460 Detail

HTTP Parameter Pollution (HPP)

Detailed Software Typical Severity: Medium

Parents: 15

Threats: T290

Description

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

Not present

External ID Source Link Description
CAPEC-460 capec https://capec.mitre.org/data/definitions/460.html
CWE-88 cwe http://cwe.mitre.org/data/definitions/88.html
CWE-147 cwe http://cwe.mitre.org/data/definitions/147.html
CWE-235 cwe http://cwe.mitre.org/data/definitions/235.html
OWASP Attacks https://owasp.org/www-community/attacks/Web_Parameter_Tampering Web Parameter Tampering
REF-397 reference_from_CAPEC https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf Luca Carettoni, Stefano di Paola, HTTP Parameter Pollution (OWASP EU09 Poland), 2008, The Open Web Application Security Project (OWASP)
REF-606 reference_from_CAPEC https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)
Explore

  1. Find User Input: The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser

Experiment

  1. Add Duplicate Parameter Values: Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.

    2. Techniques
    In the URL, add a duplicate parameter by using the "&" delimiter. For example "par1=val1" becomes "par1=val1&par1=val2". Depending on the backend API, this could be treated as "par1=val1, val2", which could lead to par1 being set to val2, ignoring val1.
    If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply "1000%26action=withdraw" and the backend might interpret a POST request with the paramters "action=deposit&amount=1000&action=withdraw"
Exploit

  1. Leverage HPP: Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.

  1. HTTP protocol is used with some GET/POST parameters passed
  1. Any tool that enables intercepting and tampering with HTTP requests

Not present

Not present

Not present

We use cookies to ensure you get the best experience on our website.