{"id":8845,"date":"2021-02-19T12:52:09","date_gmt":"2021-02-19T07:22:09","guid":{"rendered":"https:\/\/www.varutra.com\/?p=8845"},"modified":"2023-03-24T12:08:15","modified_gmt":"2023-03-24T06:38:15","slug":"http-parameter-pollution","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/http-parameter-pollution\/","title":{"rendered":"HTTP Parameter Pollution"},"content":{"rendered":"


\nThe parameter enables pages to load data from the back-end e.g., ID, search query. They make websites more interactive to the back-end as well as make them easy to use for visitors. Multiple parameters can be added with the help of special chars like (&, +,;) <\/strong>to a single page, which makes the page dynamic and a single page can have multiple views. Pages accept only parameters defined by developers in code and they should be sanitized properly to avoid malicious activity.<\/p>\n

e.g.\u00a0 https:\/\/websiteurl.com\/dish?organization?uid=23<\/a><\/p>\n

HTTP Parameter Pollution is simply adding one extra parameter with a similar one used by the server. We can bypass the Web application firewall (WAF) checks that used for input validation checkpoints and Ruleset for blacklisting through parameter pollution. Behind the scenes, the front-end checks for validation on only one parameter, and another parameter get passed to the back end without checks.<\/p>\n

e.g.\u00a0 https:\/\/websiteurl.com\/dish?organization?uid=23&uid25<\/a><\/p>\n

Firstly, need to gather information about the backend and parsing method used by the application. Then need to find parameters that are taking input from the user and check how it behaves after parameter tempering. Parameter Pollution can be tested against GET request parameter, POST parameters, and in the Cookie header.<\/p>\n

Different languages and frameworks handle these parameters differently, some consider the first parameter and some of them will go for the second parameter and some will combine the second parameter with the first parameter. For exploitation, an attacker needs to craft a payload according to the back end of the web application.<\/p>\n

 <\/p>\n

Here is a List of Some <\/strong>Back-end<\/strong> Server that Supports the First Occurrence only:<\/strong><\/h3>\n