Open in app

Sign in

Write

Sign in

Home

Library

Stories

Stats

HTTP PARAMETER POLLUTION

VISHNU VARDHAN

--

“I would like to acknowledge that this blog on HTTP parameter pollution draws upon insights and references from the Pwn Function video, which provided valuable guidance in crafting this content”

  • HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information.
  • It occours when sending same http parameters at the multiple times .

Example :

/details/?user=baymax&user=vishnu vardhan
  • So comming to the above example the server which one will take??
  • Google will pretend both the both the values
  • And yahoo pretends the first value .
  • As above example we can say that it depends on the backend server .
  • Some servers will pretend first value and other servers will pretend last value.
  • Here is the list of servers that which values they pretend .
1. java script + Tomcat ->> It will pretends the first value 
2. Php + Apache          ->> It will pretends the last value 
3. Asp.net + IIS         ->> It will pretends the both values
  • There is no standard query for accepting http parameters .

Lets step into an example :

Example :

  • There is a bank and we have to transfer money from the different account .
  • So here we can see , we are sending 10$ to the jake account .
  • Using burp proxy we can see all the traffic from browser to the server .
  • So our remaing balance is 90.
amount=10&to=jake
  • We can see there are two parameters amount and to , to which is the name of the person who receives money .
  • Here http request to the server and server request to the payment gateway .
  • The request from payment gateway looks like this :
http://payment-gateway.com:8181/?from=Attacker&to=jake&amount=10
  • We get to know that it is in php and server is Apache .
  • As we discussed php + apache -> pretends the last value .
  • We can pollute by adding two more params as it is in php and apache .
from=attaker&to=jake &from=jake&to=attacker&amount=10
  • So the server will ignored the first param and it will pretends the second param .
  • Here we finally stealed money from the jake account . Before we have just $90 and Our final balance is now $1090 .
Hpp
Bug Bounty
Wapt
Penetration Testing
Http Parameter Pollution

--

--

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams