Home > CAPEC List > CAPEC-460: HTTP Parameter Pollution (HPP) (Version 2.11)  

CAPEC-460: HTTP Parameter Pollution (HPP)

HTTP Parameter Pollution (HPP)
Definition in a New Window Definition in a New Window
Attack Pattern ID: 460
Abstraction: Detailed
Status: Draft
Completeness: Stub
Presentation Filter:
+ Summary

An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

+ Attack Prerequisites
  • HTTP protocol is used with some GET/POST parameters passed

+ Typical Severity


+ Resources Required

Any tool that enables intercepting and tampering with HTTP requests

+ Solutions and Mitigations

Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests

Design: Perform URL encoding

Implementation: Use strict regular expressions in URL rewriting

Implementation: Beware of multiple occurrences of a parameter in a Query String

+ References
[R.460.1] Luca Carettoni and Stefano di Paola. "HTTP Parameter Pollution". OWASP EU09 Poland. The Open Web Application Security Project (OWASP). 2008. <https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team

More information is available — Please select a different filter.
Page Last Updated or Reviewed: August 04, 2017