SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

HTTP Parameter Pollution

HTTP Parameter Pollution (HPP) is a security check that detects HPP vulnerabilities that have been inserted via polluting parameters on the client side, checking all the source attributes of the target web applications. HTTP Parameter Pollution occurs when a target system accepts multiple parameters with the same name. When these are sent to the server, they are handled in different and insecure ways. For example, some servers combine them with a comma, some take the last one as the actual parameter.

Here is an example: http://www.example.com/?color=red&color=blue

  • PHP/Apache will process only the last occurrence of the parameter color: 'blue'
  • ASP.NET/IIS will concatenate all parameter values with commas: param=red, blue
  • The JSP, Servlet, Apache Tomcat stack will take the first occurrence of the parameter 'color'. Therefore its value will be red.

There are two kinds of HPP types:

  • Client Side HPP affects the user directly. It can change the link or image that you visit.

  • Server Side HPP affects the server on which your website runs. It is almost impossible to detect because every application experiences varying effects during an HPP attack.

How the HTTP Parameter Pollution Security Check Works

This is what happens during the security check:

  • This security check first attempts to detect reflected parameters. Reflected parameters are used in your page response as an argument in a request. In order to be able to find the reflected parameter, we attempt to send a request to your website with a specific, unique value. This way, we can be sure that the parameter is reflected.
  • Then, it attacks using a specific HTML-encoded value. If your response has the value 'decoded', then there is a possible HTTP vulnerability. Netsparker attacks only the reflected parameter.

If Netsparker detects an HTTP Parameter Pollution:

  • It's categorized as '[Possible]', because even if we find the reflected parameter, we cannot be sure it has any negative impacts. It is also marked as Medium vulnerability security level.

  • The Impact is outlined in the report. Whether or not HPP constitutes a serious vulnerability depends on the specific web application's code. The impact can range from being able to bypass filters or security control mechanisms, to changing the application flow. In addition, an attacker can potentially override existing hard-coded HTTP parameters in order to modify the behavior of an application, bypass input validation checks, or access and possibly exploit variables that may normally be out of the direct reach of an attacker.
  • The Remedy, also outlined in the report, is that all user-supplied data, which is reflected in the HTML source code of the HTTP response, should be encoded according to the context in which it is reflected (for example, by using URL-encoding in attributes where input is reflected, instead of HTML entities).  

By default, the HTTP Parameter Pollution check is enabled. There are no additional settings available for HTTP Parameter Pollution.

For further information, see Security Checks and HTTP Parameter Pollution Vulnerabilities in Web Applications.

How to Disable the HTTP Parameter Pollution Security Check in Netsparker Enterprise

  1. Log in to Netsparker Enterprise.
  2. From the main menu, click Policies, then New Scan Policy.

  1. Click the Security Checks tab.

  1. Deselect the HTTP Parameter Pollution checkbox.

  1. Click Save.

How to Disable the HTTP Parameter Pollution Security Check in Netsparker Standard

  1. Open Netsparker Standard.
  2. From the Home tab, click the Scan Policy Editor. The Scan Policy Editor dialog is displayed.
  3. Select the Security Checks tab 
  4. In the Security Checks list, scroll down to HTTP Parameter Pollution.

  1. Deselect the HTTP Parameter Pollution checkbox.
  2. Click OK.
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO