Content deleted Content added
fixed typos, and added grammar |
|||
| (6 intermediate revisions by 5 users not shown) | |||
Line 1:
{{short description|Web security vulnerability}}
{{HTTP}}
'''HTTP Parameter Pollution''' ('''HPP''') is a [[web application]] [[Vulnerability (computing)|vulnerability]] exploited by injecting encoded [[query string]] [[delimiters]] in already existing [[parameters]]. The vulnerability occurs if user input is not correctly encoded for output by a web application.{{Sfn|Balduzzi|Torrano-Gimenez|Carmen|Kirda|2011|p=2}} This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conference [[OWASP]] EU09 Poland.{{Sfn|Balduzzi|Torrano-Gimenez|Carmen|Kirda|2011|p=2}} The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.{{Sfn|Balduzzi|Torrano-Gimenez|Carmen|Kirda|2011|p=2}}
'''HTTP Parameter Pollution,''' or HPP, is a vulnerability that occurs due to the passing of multiple parameters having the same name. There is no [[Request for Comments|RFC]] standard on what should be done when it has passed multiple parameters. This vulnerability was first discovered in 2009.<!-- by whom, if anyone knows they can update --><ref name="owasp_hpp">{{cite web|url= https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution|title=WSTG - Latest:Testing for HTTP Parameter Pollution}}</ref> HPP could be used for cross channel pollution, bypassing [[CSRF]] protection and [[Web application firewall|WAF]] input validation checks.<ref>{{cite web|url=http://www.madlab.it/slides/BHEU2011/whitepaper-bhEU2011.pdf|title=HTTP Parameter Pollution Vulnerabilities in Web Applications|date=2011}}</ref>▼
▲
==Behaviour==
When they are passed multiple parameters with the same name, here is how various back ends behave.<ref name="owasp_hpp">{{cite web|title=WSTG - Latest:Testing for HTTP Parameter Pollution|url=https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution}}</ref>
{| class="wikitable"
|+ Behaviour when "param" is passed the values "val1" & "val2"
|-
! Technology !! Parsing result !! Example
Line 36 ⟶ 39:
| Python/Zope || All occurrences in list(array) || param=['val1','val2']
|}
==Types==
===Client-side===
* First Order / Reflected HPP<ref name="owasp_hpp_paper">{{cite web|url=https://owasp.org/www-pdf-archive/AppsecEU09_CarettoniDiPaola_v0.8.pdf|title=HTTP Parameter Pollution|
* Second Order / Stored HPP<ref name="owasp_hpp_paper" />
* Third Order / DOM HPP<ref name="owasp_hpp_paper" />
Line 62 ⟶ 64:
[[Category:Computer security exploits]]
== Bibliography ==
* {{Cite conference|last1=Balduzzi|first1=Marco|last2=Torrano-Gimenez|first2=Carmen|last3=Balzarotti|first3=Davide|last4=Kirda|first4=Engin|date=2011|title=Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications|url=https://www.researchgate.net/publication/221655534|conference=Proceedings of the Network and Distributed System Security Symposium, NDSS 2011|ref=CITEREFBalduzziTorrano-GimenezCarmenKirda2011|via=[[ResearchGate]]}}
{{Web-stub}}
| |||