HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may deal with it differently. In particular, some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker in order to bypass pattern-based security mechanisms.

Detailed Description

Information transfer using the HTTP protocol can be done in various ways, such as:

  • Within the URI - using the GET parameters
  • Within the request body - using the POST parameters
  • In the HTTP headers - using the COOKIE header

The adopted technique depends on the application and on the type and amount of data that has to be transferred. Examples are shown in Figure 1.

  • GET /somePage.jsp?param1=value1& param2=value2 HTTP/1.1 Host: User-Agent: Safari/535.1 Accept: text/html,application/xhtml+xml
  • POST /somePage.asp HTTP/1.1 Host: User-Agent: Safari/535.1 Accept: text/html,application/xhtml+xml Content-Type: application/x-www-form-urlencoded Content-Length: 27

    param1=value1& param2=value2
Figure 1 – Parameters transfering examples

In HPP, the attacker introduces multiple parameters with the same name into a single HTTP request, whereas the attack vector is split across all instances. Since RFC3986 does not specify a standard behavior in this situation, the exact processing semantics are dependent upon the specific application delivery environment.

Table 1 shows a few examples of how different technologies and web servers manage multiple occurrences of the same parameter.

Technology/HTTP Back-End Overall Parsing Result Example
ASP.NET/IIS All occurrences of the specfic parameter par1=val1,val2
ASP/IIS All occurrences of the specfic parameter par1=val1,val2
PHP/Apache Last Occurence par1=val2
PHP/Zeus Last Occurence par1=val2
JSP, Servlet/Apache Tomcat First Occurence par1=val1
Table 1 – Different processing methods for technologies and web servers to manage multiple accurences of the same parameter1

When the Web application delivery environment concatenates multiple occurrences, the complete attack vector is reconstructed and processed by the application. At the same time, security mechanisms that inspect each parameter instance individually, or process the entire request data as a single string, will not be able to detect the attack. For example, as Table 1 above shows- ASP with IIS concatenates the values of duplicate parameters.

In Figure 2 we see two SQL injection vectors: "Regular attack" and "Attack using HPP". The regular attack demonstrates a standard SQL injection in the prodID parameter. This attack can be easily identified by a security detection mechanism, such as a Web Application Firewall (WAF). The second attack uses HPP on the prodID parameter. In this case, the attack vector is distributed across multiple occurrences of the prodID parameter. With the correct combination of technology environment and web server, the attack succeeds. In order for a WAF to identify and block the complete attack vector it required to also check the concatenated inputs.

Regular attack: http://webApplication/showproducts.asp?prodID=9 UNION SELECT 1,2,3 FROM Users WHERE id=3 --

Attack using HPP: http://webApplication/showproducts.asp?prodID=9 /*&prodID=*/UNION /*&prodID=*/SELECT 1 &prodID=2 &prodID=3 FROM /*&prodID=*/Users /*&prodID=*/ WHERE id=3 --

Figure 2 – SQL injection example with and without HPP