'''HTTP Parameter Pollution,''' or HPP in short, is a vulnerability that occurs due to the passing of multiple parameters having the same name. There is no [[Request for Comments|RFC]] standard on what should be done when it has passed multiple parameters. This vulnerability was first discovered in 2009.<!-- by whom, if anyone knows they can update --><ref name="owasp_hpp">{{cite web|url= https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution|title=WSTG - Latest:Testing for HTTP Parameter Pollution}}</ref> HPP could be used for cross channel pollution, bypassing [[CSRF]] protection and [[Web application firewall|WAF]] input validation checks.<ref>{{cite web|url=http://www.madlab.it/slides/BHEU2011/whitepaper-bhEU2011.pdf|title=HTTP Parameter Pollution Vulnerabilities in Web Applications|date=2011}}</ref>
==Behaviour==
When it has passed multiple parameters with the same name, here is how the backend behaves.
