CAPEC Details
Name HTTP Parameter Pollution (HPP)
Likelyhood of attack Typical severity
High Medium
Summary An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.
Prerequisites HTTP protocol is used with some GET/POST parameters passed
Solutions Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests Design: Perform URL encoding Implementation: Use strict regular expressions in URL rewriting Implementation: Beware of multiple occurrences of a parameter in a Query String
Related Weaknesses
CWE ID Description
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-147 Improper Neutralization of Input Terminators
CWE-235 Improper Handling of Extra Parameters
Related CAPECS
CAPEC ID Description
CAPEC-15 An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
Taxonomy: OWASP Attacks
Entry ID Entry Name
Link Web Parameter Tampering