CAPEC-460: HTTP Parameter Pollution (HPP)
An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
Last updated
Overview
CAPEC-460 (HTTP Parameter Pollution (HPP)) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Find User Input] The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser
- Step 2Experiment
[Add Duplicate Parameter Values] Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.
- In the URL, add a duplicate parameter by using the "&" delimiter. For example "par1=val1" becomes "par1=val1&par1=val2". Depending on the backend API, this could be treated as "par1=val1, val2", which could lead to par1 being set to val2, ignoring val1.
- If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply "1000%26action=withdraw" and the backend might interpret a POST request with the paramters "action=deposit&amount=1000&action=withdraw"
- Step 3Exploit
[Leverage HPP] Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.
What the attacker needs
Prerequisites
- HTTP protocol is used with some GET/POST parameters passed
Resources required
- Any tool that enables intercepting and tampering with HTTP requests
How to mitigate it
Defenses that reduce the risk of CAPEC-460.
- Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests
- Design: Perform URL encoding
- Implementation: Use strict regular expressions in URL rewriting
- Implementation: Beware of multiple occurrences of a parameter in a Query String
Terminology & mappings
Mapped taxonomies
- OWASP Attacks: Web Parameter Tampering
Frequently asked questions
Common questions about CAPEC-460.
- What is CAPEC-460?
- An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
- How does a HTTP Parameter Pollution (HPP) attack work?
- It typically unfolds over 3 phases. It begins with: [Find User Input] The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser
- How do you prevent CAPEC-460?
- Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests
- What weaknesses does CAPEC-460 target?
- CAPEC-460 exploits 3 CWE weaknesses, including CWE-88 (Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')), CWE-147 (Improper Neutralization of Input Terminators), CWE-235 (Improper Handling of Extra Parameters).
- How severe is CAPEC-460?
- MITRE rates CAPEC-460 as Medium severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-460
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.