HTTP Parameter Pollution (HPP) is aweb applicationvulnerability exploited by injecting encodedquery stringdelimiters in already existingparameters. The vulnerability occurs if user input is not correctly encoded for output by a web application.^[1] This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conferenceOWASP EU09 Poland.^[1] The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.^[1]

There is noRFC standard on what should be done when it has passed multiple parameters. HPP could be used for cross channel pollution, bypassingCSRF protection andWAF input validation checks.^[2]

When they are passed multiple parameters with the same name, here is how various back ends behave.^[3]

• First Order / Reflected HPP^[4]
• Second Order / Stored HPP^[4]
• Third Order / DOM HPP^[4]

• Standard HPP^[4]
• Second Order HPP^[4]

Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.^[5]

• HTTP response splitting
• HTTP request smuggling

• Balduzzi, Marco; Torrano-Gimenez, Carmen; Balzarotti, Davide; Kirda, Engin (2011).Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications. Proceedings of the Network and Distributed System Security Symposium, NDSS 2011 – viaResearchGate.

ThisWorld Wide Web–related article is astub. You can help Wikipedia byadding missing information.

• v
• t
• e

• Hypertext Transfer Protocol
• Internet security
• Computer security exploits
• World Wide Web stubs

• Articles with short description
• Short description matches Wikidata
• All stub articles