HTTP parameter pollution: Difference between revisions

'''HTTP Parameter Pollution''' or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no [[Request_for_CommentsRequest for Comments|RFC]] standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009.<!-- by whom, if anyone knows they can update --><ref name="owasp_hpp">{{cite web|url= https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution|title=WSTG - Latest:Testing for HTTP Parameter Pollution}}</ref> HPP could be used for cross channel pollution, bypassing [[CSRF]] protection and [[Web_application_firewallWeb application firewall|WAF]] input validation checks.<ref>{{cite web|url=http://www.madlab.it/slides/BHEU2011/whitepaper-bhEU2011.pdf|title=HTTP Parameter Pollution Vulnerabilities in Web Applications|date=2011}}</ref>

| PHP/Apache || Last occurenceoccurrence only || param=val2

| PHP/Zeus || Last occurenceoccurrence only || param=val2

| JSP, Servlet/Apache Tomcat || First occurenceoccurrence only || param=val1

| JSP, Servlet/Oracle Application Server || First occurenceoccurrence only || param=val1

| JSP, Servlet/Jetty || First occurenceoccurrence only || param=val1

| IBM HTTP Server || First occurenceoccurrence only || param=val1

| mod_perl,libapreq2/Apache|| First occurenceoccurrence only || param=val1

| Perl CGI/Apache || First occurenceoccurrence only || param=val1

| mod_wsgi (Python)/Apache || First occurenceoccurrence only || param=val1

| Python/Zope || All occurencesoccurrences in list(array) || param=['val1','val2']