HTTP Parameter Pollution

HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.

HTTP Parameter Pollution exploits inconsistent handling of duplicate parameters across web servers, application frameworks, and backends. Attackers inject encoded delimiters and duplicate parameter names to bypass input validation, override security checks, or access restricted functionality. Different platforms concatenate, prioritize first, or prioritize last values differently, allowing attackers to manipulate application logic and potentially escalate privileges or inject malicious content.

Implement strict input validation to reject or sanitize requests containing duplicate parameter names or encoded delimiters like ampersands and semicolons. Use allowlists for expected parameter names and enforce single-value constraints where appropriate. Ensure consistent parameter parsing across all application layers by standardizing how your framework handles duplicate parameters, and log suspicious patterns for monitoring.