HTTP Parameter Pollution

Summary

Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values. As HTTP Parameter Pollution (in short HPP) affects a building block of all web technologies, server and client side attacks exist.
By itself, this is not necessarily an indication of vulnerability. However, if the developer is not aware of the problem, the presence of duplicated parameters may produce an anomalous behavior in the application that can be potentially exploited by an attacker. As often in security, unexpected behaviors are a usual source of weaknesses that could lead to HTTP Parameter Pollution attacks in this case. To better introduce this class of vulnerabilities and the outcome of HPP attacks, it is interesting to analyze some real-life examples that have been discovered in the past.

Authentication bypass

An even more critical HPP vulnerability was discovered in Blogger, the popular blogging platform. The bug allowed malicious users to take ownership of the victim’s blog by using the following HTTP request:
POST /add-authors.do HTTP/1.1
security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
The flaw resided in the authentication mechanism used by the web application, as the security check was performed on the first blogID parameter, whereas the actual operation used the second occurrence.

Expected Behavior by Application Server

The following table illustrates how different web technologies behave in presence of multiple occurrences of the same HTTP parameter.
Given the URL and querystring: http://example.com/?color=red&color=blue
Web Application Server Backend
Parsing Result
Example
ASP.NET / IIS
All occurrences concatenated with a comma
color=red,blue
ASP / IIS
All occurrences concatenated with a comma
color=red,blue
PHP / Zeus
Last occurrence only
color=blue
PHP / Apache
Last occurrence only
color=blue
JSP, Servlet / Apache Tomcat
First occurrence only
color=red
JSP, Servlet / Oracle Application Server 10g
First occurrence only
color=red
Last modified 2yr ago
Copy link
Contents
Summary