HTTP Parameter Pollution (HPP) vulnerabilities allow attackers to exploit web applications by manipulating the query parameters in the URL and requested body which causes the Cross Site Scripting or Privilege Escalation or bypass Authorization.
- HPP affects both Server side as well as Client Side components as it is injecting additional/multiple parameters (i.e. GET/POST/Cookie) to the links, tags, attributes and other entry points which may affect the building block of all web technologies present in the environment.
- HPP attacks may add parameters or overwrite the existing parameters variables by injecting query string delimiters into existing HTTP parameters (eg. GET/POST/Cookie)
- HPP impact varies according to the affected functionality of the application as it can be used to bypass the input validation, WAF which will result in odd behavior of the application.
- If exploited it can be launched from Client Side or server side attacks
For example, When the web server concatenates values, submit half of the payload in the first copy and half in the second allowing the web server to put the values together. This allows WAF and validation bypass in some cases.
Proof of Concept
Attack Vectors: “test”, “data”
From the above URL, we can identify the query string “q” has occurred twice with two different values as “test” and “data” respectively, and the result/output is the last occurrence in of the parameter “q”.
Fig. 1: Output is the Last occurrence of the parameter in the body
Attack Vectors: “test”, “data”
From the above URL, we can identify the query string “searchTerm” has occurred twice with two different values as “test” and “data” respectively, and the result/output is both the occurrence of the parameter “searchTerm”.
Fig. 2: Output is both the occurrence of the parameter in the body
- Keep in mind that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, i.e. input validation
- Accept parameters only where they are supposed to be supplied,
- Ensure that you encode user supplied input whenever you do GET/POST HTTP request to the HTTP backend,
- From the client side point of view, use URL encoding while placing user-supplied content in links etc.
- Must follow strict regexp in URL Rewriting.
- Various platforms interpret multiple occurrences of the same parameter differently. Like in First Scenario, Output was of the last occurrence whereas, in the Second Scenario, Output is both the occurrences.
- Choose any parameter and duplicate that parameter. Give the copy a different value to make detection easier. Submit the request and observe how the web server deals with the polluted parameter.
- This anomaly in handling multiple occurrences of the same parameter can be exploited by the attacker. An attacker can bypass various security filters by breaking an injection string into multiple parts and thus exploit the unusual way the platform handles multiple occurrences of the same parameter.
Authored By - Varun Bagaria
TCS Enterprise Security and Risk Management
Rate this article: