HTTP Parameter Pollution – a Newer Class of Injection Attack

HTTP Parameter Pollution Whitepaper

Nowadays, many components from web applications are commonly run on the user’s computer (such as JavaScript), and not just on the application’s provider server (such as Servlets). As time goes by, there is the need for web applications to provide a multitude of services to their users while at the same time being consistent with functionality, interactivity and ease of use. For this reason, even the simplest web application may possibly obtain and process a plethora of different HTTP parameters. This could result in the exposure of an extensive variety of input validation or injection vulnerabilities, such as Cross-site Scripting, SQL Injection and Command Injection. A less acknowledged injection attack has been around for a long time, but has only recently begun to raise alertness in the web security world – HTTP Parameter Pollution (HPP).

This vulnerability was first presented by Stefano di Paola and Luca Carettoni in 2009 at the OWASP Poland conference. HTTP Parameter Pollution takes advantage of the fact that HTTP allows more than one of the same parameters to be used, which exposes some web applications to malicious users. HPP is a simple yet quite effective hacking technique which affects both client-side and server-side environments. When exploited, the impact of an HPP injection attack depends on the functionality of the web application. Despite its simplicity, the HTTP Parameter Pollution vulnerability can be very dangerous and can compromise your website and web application security systems.

The Acunetix Team has created a detailed whitepaper that explains in detail how an HTTP Parameters Pollution injection attack can be launched at the front-end (client) or the back-end (server) of the web application. We also recommend security measures that should be taken in order to determine if your website is vulnerable to HPP attacks.

Click here to read the whitepaper guide on How to Detect HTTP Parameter Pollution attacks.

Share this post
  • Leave a Reply

    Your email address will not be published.


    *