Revision as of 22:26, 26 August 2021 edit BunnyyHop (talk \| contribs) Extended confirmed users 1,515 edits exp. Tag: Visual edit ← Previous edit		Revision as of 02:56, 3 April 2022 edit undo Phyzome (talk \| contribs) Extended confirmed users 1,181 edits More accurate description of prevention Next edit →
Line 1: {{short description\|Web security vulnerability}} {{HTTP}} '''HTTP Parameter Pollution''' ('''HPP''') is a [[web application]] [[Vulnerability (computing)\|vulnerability]] exploited by injecting encoded [[query string]] [[delimiters]] in already existing [[parameters]]. The vulnerability occurs if user input is not ~~sanitized~~ correctly encoded for output by a web application.{{Sfn\|Balduzzi\|Torrano-Gimenez\|Carmen\|Kirda\|2011\|p=2}} This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conference [[OWASP]] EU09 Poland.{{Sfn\|Balduzzi\|Torrano-Gimenez\|Carmen\|Kirda\|2011\|p=2}} The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.{{Sfn\|Balduzzi\|Torrano-Gimenez\|Carmen\|Kirda\|2011\|p=2}} There is no [[Request for Comments\|RFC]] standard on what should be done when it has passed multiple parameters. HPP could be used for cross channel pollution, bypassing [[CSRF]] protection and [[Web application firewall\|WAF]] input validation checks.<ref>{{cite web\|url=http://www.madlab.it/slides/BHEU2011/whitepaper-bhEU2011.pdf\|title=HTTP Parameter Pollution Vulnerabilities in Web Applications\|date=2011}}</ref>

HTTP parameter pollution: Difference between revisions