HTTP Parameter Pollution

HTTP Parameter Pollution

HTTP Parameter Pollution (HPP) vulnerabilities allow attackers to exploit web applications by manipulating the query parameters in the URL and requested body which causes the Cross Site Scripting or Privilege Escalation or bypass Authorization.



HTTP Parameter Pollution affects both Server side as well as Client Side components as it is injecting additional/multiple parameters (i.e. GET/POST/Cookie) to the links, tags, attributes.

HTTP Parameter Pollution attacks may add parameters or overwrite the existing parameters variables by injecting query string delimiters into existing HTTP parameters.

If exploited it can be launched from Client Side or server side attacks.


  • HTTP Parameter Pollution is possible most of the time in URL based.

Prevention of HTTP Parameter Pollution:

  • Keep in mind that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, i.e. input validation.
  • Accept parameters only where they are supposed to be supplied.
  • HTTP Parameter Pollution server side, it’s always important to use URL encoding whenever you do GET/POST HTTP requests to an HTTP back-end.
  • From the client-side point of view, use URL encoding whenever you are going to include user-supplied content within links, etc.

    • Related Articles

    • Web security issues you need to be concerned

      1. SQL Injection (SQLi) The SQL injection is the most common web security issue faced by most of the companies. An SQL injection is the injection attack where hackers can input malicious SQL queries to pull sensitive data from the database. These SQL ...
    • RESTAPI Vulnerability Scanner

      Hi, This post is regarding VOOKI – RESTAPI Vulnerability Scanner. Before you learn about RESTAPI Vulnerability Scanner. You need to learn few things please read below. First, we learn about what is Web Service? WEB SERVICE: A web service is a ...
    • How to use burp suite with android mobile

      Hi, This post is regarding How to use burp suite with android mobile. Step 1: Open Settings and click Wi-Fi in your mobile. Step 2 : Click on Wi-Fi and Long press on your Connected Network (here TP-LICK_720C). Step 3 : Click on Modify network. Step 4 ...
    • command injection

      Hi, This post is regarding Command Injection. Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application ...
    • insecure deserialization – xvna

      Hi, This post is regarding How to find Insecure deserialization in XVNA. Since many apps that accept serialized objects do not validate or check untrusted input before deserializing it, attackers can inject malicious objects into a data stream and ...