HTTP Parameter Pollution [deprecated]

Severity: Medium

Invicti detected that the website is vulnerable to client-side HTTP Parameter Pollution (HPP). 


HPP occurs when a target system accepts multiple parameters with the same name and handles them in a manner that might be insecure or unexpected.  


When multiple parameters with the same name are sent to a server, different languages and frameworks handle these parameters in a different way whereas some systems like PHP/Apache process only the last occurrence of the repeated parameters. ASP.NET/IIS, on the other hand, combines them with commas. 


For instance:



PHP/Apache will process only the last occurrence of the parameter color: "blue" 



ASP.NET/IIS will concatenate all parameter values with commas: param=red, blue 


JSP, Servlet, Apache Tomcat

This stack will take the first occurrence of the parameter "color". Therefore its value will be red.


Whether or not HPP constitutes a serious vulnerability depends on the specific applications code. The impact can range from bypassing filters, security control mechanisms to changing application flow. Additionally, an attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checks, and access and possibly exploit variables that may be out of direct reach for an attacker.


All user-supplied data, which is reflected in the HTML source code of the HTTP response, should be encoded according to the context in which they are reflected. For example by using URL-encoding in attributes that input is reflected, instead of HTML entities. 

Invicti Logo

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo