HTTP Parameter Pollution

Concept

                        TEXT
                        
                            When same parameter is sent multiple times, servers handle it differently:

PHP/Apache:    ?x=1&x=2  → x = "2" (last)
ASP/IIS:       ?x=1&x=2  → x = "1,2" (all)
Python/Flask:  ?x=1&x=2  → x = "1" (first)

Basic Payloads

                        TEXT
                        
                            # Duplicate parameter
?id=1&id=2

# Array syntax
?id[]=1&id[]=2

# Different encodings
?id=1&id%3D2
?id=1&%69d=2

Server-Side HPP

Logic Bypass

                        TEXT
                        
                            # Transfer validation
Original: ?from=userA&to=userB&amount=100

# Attack
?from=userA&to=userB&amount=100&from=admin

WAF Bypass

                        TEXT
                        
                            # WAF checks first, app uses last
?search=safe&search=<script>alert(1)</script>

Client-Side HPP

Link Manipulation

TEXT

                            # Vulnerable link generation
/share?url=https://target.com&url=https://evil.com

# Social share manipulation
/tweet?text=safe&text=malicious
                        

Framework Behavior

Framework	Behavior
PHP	Last value
ASP.NET	Comma-joined
Python	First value (often)
Node.js	Array or first
Java	First or last (depends)

Testing

                        TEXT
                        
                    

                            1. Send duplicate parameters
2. Observe which value is used
3. Test parameter arrays
4. Try URL-encoded duplicates
5. Test on both client and server actions
                        

HTTP Parameter Pollution

Concept

Basic Payloads

Server-Side HPP

Logic Bypass

WAF Bypass

Client-Side HPP

Link Manipulation

Framework Behavior

Testing

On this page