> For the complete documentation index, see [llms.txt](https://notes.brinkles.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/http-parameter-pollution.md).

# HTTP Parameter Pollution

## Summary

HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate web logics or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name (?param1=value\&param1=value). As there is no formal way of parsing HTTP parameters, individual web technologies have their own unique way of parsing and reading URL parameters with the same name. Some taking the first occurance, some taking the last occurance, and some reading it as an array. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.

## Tools

No tools needed. Maybe Burp or OWASP ZAP.

## How to test

HPP allows an attacker to bypass pattern based/black list proxies or Web Application Firewall detection mechanisms. This can be done with or without the knowledge of the web technology behind the proxy, and can be achieved through simple trial and error.

```
Example scenario.
WAF - Reads first param
Origin Service - Reads second param. In this scenario, developer trusted WAF and did not implement sanity checks.

Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads first 'search' param, looks innocent. passes on) --> Origin Service (reads second 'search' param, injection happens if no checks are done here.)
```

### Table of refence for which technology reads which parameter

When ?par1=a\&par1=b

| Technology                                     | Parsing Result          | outcome (par1=) |
| ---------------------------------------------- | ----------------------- | :-------------: |
| ASP.NET/IIS                                    | All occurrences         |       a,b       |
| ASP/IIS                                        | All occurrences         |       a,b       |
| PHP/Apache                                     | Last occurrence         |        b        |
| PHP/Zues                                       | Last occurrence         |        b        |
| JSP,Servlet/Tomcat                             | First occurrence        |        a        |
| Perl CGI/Apache                                | First occurrence        |        a        |
| Python Flask                                   | First occurrence        |        a        |
| Python Django                                  | Last occurrence         |        b        |
| Nodejs                                         | All occurrences         |       a,b       |
| Golang net/http - `r.URL.Query().Get("param")` | First occurrence        |        a        |
| Golang net/http - `r.URL.Query()["param"]`     | All occurrences         |       a,b       |
| IBM Lotus Domino                               | First occurrence        |        a        |
| IBM HTTP Server                                | First occurrence        |        a        |
| Perl CGI/Apache                                | First occurrence        |        a        |
| mod\_wsgi (Python)/Apache                      | First occurrence        |        a        |
| Python/Zope                                    | All occurences in array |    \['a','b']   |

## References

* [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/)
* [HTTP Parameter Pollution in 11 minutes | Web Hacking - PwnFunction](https://www.youtube.com/watch?v=QVZBl8yxVX0\&ab_channel=PwnFunction)
* [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://notes.brinkles.wiki/tools/web-app-pentesting/payload-all-the-things/http-parameter-pollution.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.