HTTP Parameter Pollution (HPP) Cheat Sheet

HTTP Parameter Pollution (HPP) is a security vulnerability that occurs when multiple values are assigned to the same parameter. This can lead to unexpected behavior in web applications, potentially causing security issues. Here’s a cheat sheet on HTTP Parameter Pollution:

Introduction

  • Definition:
    • HPP occurs when a single parameter receives multiple values, leading to ambiguity and potential security vulnerabilities.

Common Attack Vectors

  • URL Parameters:
    • Modify query string parameters in the URL.
http://example.com/page?param=value1&param=value2

POST Parameters:

  • Manipulate form data sent via POST requests.
POST /submit
Content-Type: application/x-www-form-urlencoded

param=value1&param=value2

Cookie Parameters:

  • Manipulate cookie values.
Cookie: param=value1; param=value2

Attack Scenarios

  • Data Integrity:
    • Altering parameters to manipulate data or functionality.
  • Authorization Bypass:
    • Attempting to override user roles or permissions.
  • Security Feature Bypass:
    • Bypassing security controls by manipulating parameters.

Payloads

  • Appending Values:
    • param=value1&param=value2
  • Special Characters:
    • param=value1%26param=value2
  • Encoding:
    • URL encoding values for obfuscation.

Mitigation Techniques

  • Input Validation:
    • Validate and sanitize user inputs on the server-side.
  • Whitelisting:
    • Limit the accepted values for parameters.
  • Context-Aware Escaping:
    • Use proper escaping mechanisms for different contexts (HTML, SQL, etc.).

Tools

  • HPP Scanner:
    • Tools like OWASP ZAP or Burp Suite can help detect HPP vulnerabilities.

Reporting

  • Responsible Disclosure:
    • If you discover an HPP vulnerability, report it responsibly to the website owner or developer.

Example Scenario

Original URL:

http://example.com/search?query=keyword

HPP Attempt:

http://example.com/search?query=keyword1&query=keyword2

Prevention Tips

  • Educate Developers:
    • Ensure developers are aware of the risks and implement secure coding practices.
  • Regular Audits:
    • Conduct regular security audits to identify and fix vulnerabilities.

Additional Resources

OWASP:

  • Refer to the OWASP (Open Web Application Security Project) documentation for in-depth information on web application security.

This cheat sheet provides a basic overview of HTTP Parameter Pollution, common attack vectors, mitigation techniques, and additional resources. Keep in mind that each web application is unique, and security measures should be tailored to the specific requirements and technologies in use.