HTTP Parameter Pollution

Concatenating unvalidated input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach.

HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. By submitting additional parameters to a web application, and if these parameters have the same name as an existing parameter, the web application may react in one of the following ways:

It may only take the data from the first parameter
It may take the data from the last parameter
It may take the data from all parameters and concatenate them together


For example:
- ASP.NET/IIS uses all occurrences of the parameters
- Apache Tomcat uses only the first occurrence and ignores others
- mod_perl/Apache converts the value into an array of values

Example 1: Depending on the application server and the logic of the application itself, the following request might cause confusion to the authentication system and allow an attacker to impersonate another user.
http://www.server.com/login.aspx?name=alice&name=hacker

Example 2: The following code uses input from an HTTP request to render two hyperlinks.

    ...
    String lang = Request.Form["lang"];
    WebClient client = new WebClient();
    client.BaseAddress = url;
    NameValueCollection myQueryStringCollection = new NameValueCollection();
    myQueryStringCollection.Add("q", lang);
    client.QueryString = myQueryStringCollection;
    Stream data = client.OpenRead(url);
    ...

URL: http://www.host.com/election.aspx?poll_id=4567
Link1: <a href="http://www.host.com/vote.aspx?poll_id=4567&lang=en">English<a>
Link2: <a href="http://www.host.com/vote.aspx?poll_id=4567&lang=es">Spanish<a>

The programmer has not considered the possibility that an attacker could provide a lang such as en&poll_id=1, and then the attacker may be able to change the poll_id at will.

Concatenating unvalidated input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach.

HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. By submitting additional parameters to a web application, and if these parameters have the same name as an existing parameter, the web application may react in one of the following ways:

It may only take the data from the first parameter
It may take the data from the last parameter
It may take the data from all parameters and concatenate them together


For example:
- ASP.NET/IIS uses all occurrences of the parameters
- Apache Tomcat uses only the first occurrence and ignores others
- mod_perl/Apache converts the value into an array of values

Example 1: Depending on the application server and the logic of the application itself, the following request might cause confusion to the authentication system and allow an attacker to impersonate another user.
http://www.server.com/login.php?name=alice&name=hacker

Example 2: The following code uses input from an HTTP request to render two hyperlinks.

    <%
        ...
        $id = $_GET["id"];
        header("Location: http://www.host.com/election.php?poll_id=" . $id);
        ...
    %>

URL: http://www.host.com/election.php?poll_id=4567
Link1: <a href="vote.php?poll_id=4567&candidate=white">Vote for Mr. White<a>
Link2: <a href="vote.php?poll_id=4567&candidate=green">Vote for Mrs. Green<a>

The programmer has not considered the possibility that an attacker could provide a poll_id such as "4567&candidate=green", and then the resulting page will contain the following injected links and hence Mrs. Green will always be voted on an application server which picks the first parameter.
<a href="vote.php?poll_id=4567&candidate=green&candidate=white">Vote for Mr. White<a>
<a href="vote.php?poll_id=4567&candidate=green&candidate=green">Vote for Mrs. Green<a>

Concatenating unvalidated input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach.

HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks. By submitting additional parameters to a web application, and if these parameters have the same name as an existing parameter, the web application may react in one of the following ways:

It may only take the data from the first parameter.
It may take the data from the last parameter.
It may take the data from all parameters and concatenate them together.


For example:
- ASP.NET/IIS uses all occurrences of the parameters
- Apache Tomcat uses only the first occurrence and ignores others
- mod_perl/Apache converts the value into an array of values

Example 1: Depending on the application server and the logic of the application itself, the following request might cause confusion to the authentication system and allow an attacker to impersonate another user.
http://www.server.com/login.php?name=alice&name=hacker

As this shows, the attacker already has name=alice specified, but they've added an additional name=alice&, and if this is being used on a server that takes the first occurrence, then this may impersonate alice in order to get further information regarding her account.