Today I want to share to you guys about HTTP Parameter Pollution (HPP). HPP is one of web attack that pentester can use in their assessment to check the web application security. The HPP vulnerability severity is depends on how critical the impact towards to the application.
Simple explanation for the HPP attack :
Attackers modify HTTP request (GET/POST Method) by adding duplicate parameters with malicious values before sending to the server. The duplicated parameter sent by the attacker might be misinterpret by the server and may execute malicious payloads.
The result of HPP attack may be differ to every web application based on their back-end server that are being used. Following are the results based on the server type :
As shown above sample from the google.com site, which they concatenate all the queries become one string line of a query.
How to do HPP attack?
HPP can be tested on any web application by using Burp Suite or OWASP Zap tools. Intercept any HTTP request and modify the request by adding duplicate parameters with another values, example as below :
From the picture above shown that the URL were contains 2 original parameters (“u” , “quote”) and 1 duplicate parameter that attacker added at the back of the URL. In this situation, the back-end server is using PHP and Apache setup. It means that it will takes the last parameter occurrence (can refer back table below).
The first “u” parameter were ignored by the server and only take another “u” parameter at the back of the URL. The situation above may leads to Open Redirect vulnerability on this application.
How to prevent HPP attack from occur?
- All data that being entered by the users need to be validated before passing it to the back-end.
- Whitelist of allowed data or domain.
Thank you to all readers.
