HTTP Parameter Pollution Security Check

Category: Product Docs & FAQS - Last Updated: Wed, 15 Jan 2020 - by Oguz Kurumlu

Netsparker uses a wide range of security checks during a scan to test for issues and vulnerabilities. Some are switched on by default while others can be modified or deleted. Since the number of hacks and vulnerabilities grows continuously, Netsparker web application security scanner must regularly add to its total list of security checks.

In the recent Netsparker Standard 5.5 November 2019 Update, we have added HTTP Parameter Pollution (HPP) to our list of security checks. HPP is categorized in Netsparker as a Medium level vulnerability. HPP occurs when a target system accepts multiple parameters with the same name and handles them in different and insecure ways. The impact can lead to bypassing filters and security control mechanisms.

Impacts can be very difficult to detect, since every server experiences varying effects. In an automated way, it is impossible to detect if the server is vulnerable to HPP and impact of the issue at the server-side. By evaluating some signs in the HTML response, an automation tool can only report the possibility of HPP. A picture worth a thousand words, so the picture below can explain potential impact of the HPP well. Let's say the target server can take the first occurence of multiple parameters with the same name. After convincing the user to enter the site by using a specially crafted URL, whatever user choice is, votes will go to selected applicant by attacker.

Types of HPP Attacks

What Happens When Netsparker Detects HTTP Parameter Pollution Attack?

During the security check, Netsparker first attempts to detect reflected parameters. Then, it attacks using a specific HTML-encoded value.

  • If detected, Netsparker marks the HPP as 'Possible', and sets the vulnerability security level to 'Medium'.
  • The potential consequences are outlined in the report's Impact section, including for example, whether an attacker could bypass a security control mechanism.
  • The report's Remedy section will explain that in order to avoid HPP vulnerabilities, all user-supplied data, reflected in the HTML source code of the HTTP response, should be encoded, for example, by using URL-encoding in attributes where input is reflected, instead of HTML entities.

In Netsparker Standard, the HPP security check is enabled by default. It can be disabled and requires no additional settings.

For further information, see Security Checks and HTTP Parameter Pollution. For further information on other features in the latest release, see Netsparker Standard 5.5 – November 2019 Update.


Keep up with the latest web security
content with weekly updates.