Revision as of 17:23, 12 July 2020 edit Machinexa (talk \| contribs) Extended confirmed users 2,808 edits mNo edit summary ← Previous edit		Revision as of 17:35, 12 July 2020 edit undo Machinexa (talk \| contribs) Extended confirmed users 2,808 edits Server Behaviour Next edit →
Line 1: '''HTTP Parameter Pollution''' or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no [[Request_for_Comments\|RFC]] standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009. <!-- by whom, if anyone knows they can update --><ref name="owasp_hpp">{{cite web\|url= https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution\|title=WSTG - Latest:Testing for HTTP Parameter Pollution}}</ref>. HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.<ref>{{cite web\|url=http://www.madlab.it/slides/BHEU2011/whitepaper-bhEU2011.pdf\|title=HTTP Parameter Pollution Vulnerabilities in Web Applications\|date=2011}}</ref> ==Behaviour== When passed multiple parameters with same name, here is how backend behaves {\| class="wikitable" \|+ Behaviour \|- ! Technology !! Parsing result !! Example \|- \| ASP.NET/IIS \|\| All occurrences concatenated with a comma \|\| param=val1,val2 \|- \| ASP/IIS \|\| All occurrences concatenated with a comma \|\| param=val1,val2 \|- \| PHP/Apache \|\| Last occurence only \|\| param=val2 \|- \| PHP/Zeus \|\| Last occurence only \|\| param=val2 \|- \| JSP, Servlet/Apache Tomcat \|\| First occurence only \|\| param=val1 \|- \| JSP, Servlet/Oracle Application Server \|\| First occurence only \|\| param=val1 \|- \| JSP, Servlet/Jetty \|\| First occurence only \|\| param=val1 \|- \| IBM Lotus Domino \|\|Last occurrence only \|\| param=val2 \|- \| IBM HTTP Server \|\| First occurence only \|\| param=val1 \|- \| mod_perl,libapreq2/Apache\|\| First occurence only \|\| param=val1 \|- \| JSP, Servlet/Jetty \|\| First occurence only \|\| param=val1 \|- \| Perl CGI/Apache \|\| First occurence only \|\| param=val1 \|- \| mod_wsgi (Python)/Apache \|\| First occurence only \|\| param=val1 \|- \| Python/Zope \|\| All occurences in list(array) \|\| param=['val1','val2'] \|} <ref name="owasp_hpp" /> ==See Also== *[[HTTP_response_splitting]]

HTTP parameter pollution: Difference between revisions