HTTP Parameter Pollution (HPP) is a web application vulnerability exploited by injecting encoded query string delimiters in already existing parameters. The vulnerability occurs if user input is not correctly encoded for output by a web application.[1] This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conference OWASP EU09 Poland.[1] The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.[1]
There is no RFC standard on what should be done when it has passed multiple parameters. HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]
^ abcBalduzzi et al. 2011, p. 2.
^"HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
and 25 Related for: HTTP parameter pollution information
HTTPParameterPollution (HPP) is a web application vulnerability exploited by injecting encoded query string delimiters in already existing parameters...
HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if...
communications, the HTTP 404, 404 not found, 404, 404 error, page not found, or file not found error message is a hypertext transfer protocol (HTTP) standard response...
The HTTP response status code 302 Found is a common way of performing URL redirection. The HTTP/1.0 specification (RFC 1945) initially defined this code...
On the World Wide Web, HTTP 301 is the HTTP response status code for 301 Moved Permanently. It is used for permanent redirecting, meaning that links or...
The ETag or entity tag is part of HTTP, the protocol for the World Wide Web. It is one of several mechanisms that HTTP provides for Web cache validation...
In HTTP, "Referer" (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from...
This is a list of Hypertext Transfer Protocol (HTTP) response status codes. Status codes are issued by a server in response to a client's request made...
include a "Link" HTTP header field whose value is a URI reference identifying itself. The "Link" header field must then have a "rel" parameter whose value...
The HTTP response status code 303 See Other is a way to redirect web applications to a new URI, particularly after a HTTP POST has been performed, since...
Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is...
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over...
HTTP persistent connection, also called HTTP keep-alive, or HTTP connection reuse, is the idea of using a single TCP connection to send and receive multiple...
HTTP pipelining is a feature of HTTP/1.1, which allows multiple HTTP requests to be sent over a single TCP connection without waiting for the corresponding...
HTTP Message Body is the data bytes transmitted in an HTTP transaction message immediately following the headers if there are any (in the case of HTTP/0...
HTTP header injection is a general class of web application security vulnerability which occurs when Hypertext Transfer Protocol (HTTP) headers are dynamically...
the HTTP protocol. This standard is obsolete since July 2011. Digest access authentication was originally specified by RFC 2069 (An Extension to HTTP: Digest...
The HTTP Location header field is returned in responses from an HTTP server under two circumstances: To ask a web browser to load a different web page...
HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are...
(XHR) is an API in the form of a JavaScript object whose methods transmit HTTP requests from a web browser to a web server. The methods allow a browser-based...
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user...
HTTP request smuggling (HRS) is a security exploit on the HTTP protocol that takes advantage of an inconsistency between the interpretation of Content-Length...
Secure Hypertext Transfer Protocol (S-HTTP) is an obsolete alternative to the HTTPS protocol for encrypting web communications carried over the Internet...
HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize...