HTTP Parameter Pollution

Manipulate or pollute HTTP requests by injecting multiple parameters with the same name into a single request, potentially allowing to bypass security controls, altering the behavior of the application, or accessing unauthorized data.

We can find a typical example of this vulnerability as follows:

We send a petition to a login form

https://example.com/login?user=guest&pass=password

We can create confusion by duplicating the user parameter, which could allow us to get information or even access another account

https://example.com/login?user=admin&user=guest&pass=password

We can also do this by modifying directly the request parameters

Example request

{
    "data": {
        "user": "admin",
        "user": "guest",
        "pass": "password"    
    }
}

PreviousHeader Poisoning NextContent Security Policy Bypass

Last updated 4 months ago