09 Mar, 2023

HTTP parameter pollution (HPP) attacks

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

HTTP parameter pollution (HPP) attacks refer to a type of web-based security vulnerability where an attacker manipulates the parameters of a web application’s HTTP requests to inject malicious code or data into the application’s server-side processing. This can lead to a variety of attacks such as stealing sensitive information, executing unauthorized actions, or causing the application to crash. HPP attacks typically exploit weaknesses in the way web applications handle multiple parameters with the same name or similar functionality.

Example of vulnerable code on different programming languages:


in JavaScript:

				
					const queryString = require('query-string');
const http = require('http');

http.createServer((req, res) => {
  const queryParams = queryString.parse(req.url.split('?')[1]);
  const username = queryParams.username;
  const password = queryParams.password;

  if (username && password) {
    authenticate(username, password);
  } else {
    res.writeHead(400, {'Content-Type': 'text/plain'});
    res.end('Missing username or password parameter');
  }
}).listen(8080);

				
			

 

This code uses the query-string library to parse query parameters from an HTTP request URL. However, if an attacker sends a request with multiple username or password parameters, the code will only use the last value provided, potentially allowing the attacker to bypass authentication.

• in Java:

				
					import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;

public class MyServlet extends HttpServlet {
  public void doGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    String name = request.getParameter("name");
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("<html><head><title>Hello, " + name + "!</title></head>");
    out.println("<body data-rsssl=1><h1>Hello, " + name + "!</h1></body></html>");
  }
}

				
			


This Java servlet retrieves a parameter named name from the request object and uses it to generate a simple HTML response. However, if an attacker sends a request with multiple name parameters, the servlet will only use the last value provided, potentially allowing the attacker to inject malicious code.

• in PHP:

				
					<?php
$color = $_GET['color'];
echo "Your favorite color is " . $color;
?>

				
			

 

This simple PHP script retrieves a parameter named color from the URL query string and echoes it back to the user. However, if an attacker sends a request with multiple color parameters, the script will concatenate all of the provided values together, potentially allowing the attacker to inject malicious code.

Examples of exploitation HTTP parameter pollution (HPP) attacks

Authentication bypass:

Let’s say a web application uses a GET request to check if a user is authenticated by passing a logged-in parameter with a value of true if the user is logged in. An attacker could manipulate the URL query string to include both logged-in=true and logged-in=false parameters. If the application only checks for the last parameter value, the attacker could bypass the authentication check and gain access to restricted functionality.

Data theft:

Imagine a web application that uses a POST request to retrieve user data based on an id parameter. An attacker could manipulate the URL query string to include both id=123 and id=456 parameters. If the application only checks for the last parameter value, the attacker could retrieve user data for a different user without authorization.

Parameter tampering:

Let’s say a web application uses a GET request to retrieve a product’s price based on a product-id parameter. An attacker could manipulate the URL query string to include both product-id=123 and product-id=456 parameters. If the application only checks for the last parameter value, the attacker could tamper with the price of the product and cause the application to display incorrect information.

Server-side code injection:

Imagine a web application that uses a POST request to perform a search based on a query parameter. An attacker could manipulate the URL query string to include both query=apples and query=<script>alert('XSS')</script> parameters. If the application only checks for the last parameter value, the attacker could inject malicious code into the search query, potentially leading to server-side code injection vulnerabilities.

Privilege escalation techniques for HTTP parameter pollution (HPP) attacks

Session hijacking:

By manipulating the parameters of a web application’s HTTP requests, an attacker could potentially hijack a user’s session and gain access to their account. For example, if the application uses a logged-in parameter to determine if a user is authenticated, an attacker could manipulate this parameter to bypass authentication and take over the user’s session.

SQL injection:

If an application uses HTTP requests to interact with a database, an attacker could use HPP attacks to inject malicious SQL code into the query parameters, potentially allowing them to execute unauthorized database commands and escalate their privileges.

Cross-site scripting (XSS):

By injecting malicious code into HTTP request parameters, an attacker could potentially execute client-side scripts on a victim’s browser, leading to a variety of attacks, such as session hijacking or stealing sensitive information.

Command injection:

If an application uses HTTP requests to execute server-side commands, an attacker could use HPP attacks to inject malicious commands into the request parameters, potentially allowing them to execute unauthorized system-level commands and escalate their privileges.

File inclusion:

By manipulating HTTP request parameters, an attacker could potentially include unauthorized files in the application’s server-side processing, potentially allowing them to execute arbitrary code and escalate their privileges.

General methodology and checklist for HTTP parameter pollution (HPP) attacks

Methodology:

  1. Identify parameters: The first step is to identify all the input parameters that are being used in the application’s HTTP requests. This includes all the query string parameters, request headers, cookies, and any other input that can be manipulated by the user.

  2. Test for HPP attacks: Once you have identified the parameters, the next step is to test them for HPP vulnerabilities. This involves submitting the same parameter multiple times with different values and observing the application’s response. The goal is to determine if the application is vulnerable to HPP attacks and how the parameters can be manipulated to exploit the vulnerability.

  3. Exploit the vulnerability: If you discover an HPP vulnerability, the next step is to exploit it to determine the extent of the vulnerability and the potential impact on the application. This may involve bypassing authentication, retrieving sensitive data, or executing unauthorized commands on the server.

  4. Document and report findings: Once you have identified and exploited the vulnerability, it’s important to document your findings and report them to the application’s owner or development team. This should include a detailed description of the vulnerability, steps to reproduce the exploit, and recommendations for mitigating the vulnerability.

  5. Verify fixes: After the application’s owner or development team has addressed the vulnerability, it’s important to verify that the fix has been effective and that the vulnerability has been fully mitigated. This may involve re-testing the parameter and ensuring that the exploit is no longer possible.

  6. Continue monitoring: Even after a vulnerability has been mitigated, it’s important to continue monitoring the application for any new vulnerabilities or exploits. This involves regular testing and proactive monitoring to ensure that the application remains secure over time.

Checklist:

  1. Identify all input parameters: Make a list of all the input parameters that are being used in the application’s HTTP requests, including query string parameters, request headers, and cookies.

  2. Submit parameters multiple times: Submit each parameter multiple times with different values and observe the application’s response. The goal is to determine if the application is vulnerable to HPP attacks and how the parameters can be manipulated to exploit the vulnerability.

  3. Test for different HTTP methods: Test each parameter with different HTTP methods, such as GET, POST, PUT, and DELETE, to determine if the vulnerability is specific to a particular method.

  4. Test for encoding issues: Test each parameter with different encoding schemes, such as URL encoding, HTML encoding, and Unicode encoding, to determine if the vulnerability is related to encoding issues.

  5. Test for parameter ordering: Test each parameter with different orderings to determine if the vulnerability is related to the ordering of the parameters in the HTTP request.

  6. Test for dependencies between parameters: Test each parameter with different dependencies on other parameters, to determine if the vulnerability is related to dependencies between parameters.

  7. Test for impact of parameter pollution: Test each parameter to determine the impact of parameter pollution, such as bypassing authentication, retrieving sensitive data, or executing unauthorized commands on the server.

  8. Document findings: Document your findings, including a detailed description of the vulnerability, steps to reproduce the exploit, and recommendations for mitigating the vulnerability.

  9. Report findings: Report your findings to the application’s owner or development team, including a description of the vulnerability and recommended mitigation strategies.

  10. Verify fixes: Verify that the application’s owner or development team has addressed the vulnerability, and that the vulnerability has been fully mitigated.

  11. Continuously monitor: Continuously monitor the application for any new vulnerabilities or exploits, including regular testing and proactive monitoring to ensure that the application remains secure over time.

Tools set for exploiting HTTP parameter pollution (HPP) attacks

Manual Tools:

  • Burp Suite: A web application security testing tool that can be used to identify and exploit HPP vulnerabilities manually. Burp Suite can intercept and modify HTTP requests, and it includes a variety of tools for analyzing and manipulating input parameters.

  • OWASP ZAP: Another web application security testing tool that can be used to identify and exploit HPP vulnerabilities manually. OWASP ZAP includes a variety of tools for analyzing input parameters, including the ability to submit parameters multiple times with different values.

  • Fiddler: A web debugging tool that can be used to analyze and modify HTTP requests manually. Fiddler can be used to intercept and modify input parameters, and it includes a variety of tools for analyzing the structure and content of HTTP requests.

  • Chrome Developer Tools: A built-in browser feature that can be used to analyze and modify HTTP requests manually. Chrome Developer Tools can be used to inspect the structure and content of HTTP requests, and it includes a variety of tools for manipulating input parameters.

  • Firefox Developer Tools: A built-in browser feature that can be used to analyze and modify HTTP requests manually. Firefox Developer Tools can be used to inspect the structure and content of HTTP requests, and it includes a variety of tools for manipulating input parameters.

  • Hackbar: A browser plugin for Firefox that can be used to manually manipulate HTTP requests. Hackbar includes a variety of tools for modifying input parameters, including the ability to submit parameters multiple times with different values.

  • Tamper Data: A browser plugin for Firefox that can be used to intercept and modify HTTP requests manually. Tamper Data includes a variety of tools for analyzing and modifying input parameters, including the ability to submit parameters multiple times with different values.

  • Live HTTP Headers: A browser plugin for Firefox that can be used to analyze and modify HTTP requests manually. Live HTTP Headers can be used to inspect the structure and content of HTTP requests, and it includes a variety of tools for manipulating input parameters.

Automated Tools:

  • Netsparker: A web application security scanner that can be used to automatically identify and exploit HPP vulnerabilities. Netsparker includes a variety of tools for analyzing input parameters, and it can submit parameters multiple times with different values to identify HPP vulnerabilities.

  • Acunetix: Another web application security scanner that can be used to automatically identify and exploit HPP vulnerabilities. Acunetix includes a variety of tools for analyzing input parameters, and it can submit parameters multiple times with different values to identify HPP vulnerabilities.

  • Arachni: A web application security scanner that can be used to automatically identify and exploit HPP vulnerabilities. Arachni includes a variety of tools for analyzing input parameters, and it can submit parameters multiple times with different values to identify HPP vulnerabilities.

  • OpenVAS: A vulnerability scanner that can be used to automatically identify and exploit HPP vulnerabilities. OpenVAS includes a variety of tools for analyzing input parameters, and it can submit parameters multiple times with different values to identify HPP vulnerabilities.

  • Nikto: A web server scanner that can be used to automatically identify and exploit HPP vulnerabilities. Nikto includes a variety of tools for analyzing input parameters, and it can submit parameters multiple times with different values to identify HPP vulnerabilities.

  • Skipfish: A web application security scanner that can be used to automatically identify and exploit HPP vulnerabilities. Skipfish includes a variety of tools for analyzing input parameters, and it can submit parameters multiple times with different values to identify HPP vulnerabilities.

The Common Weakness Enumeration (CWE)

• CWE-434: Unrestricted Upload of File with Dangerous Type This CWE refers to vulnerabilities in web applications that allow users to upload files with dangerous extensions, such as executable files or scripts, which can then be executed on the server. Attackers can exploit this vulnerability by uploading malicious files that can be used to take control of the server or steal sensitive data.

• CWE-352: Cross-Site Request Forgery (CSRF) CSRF is a type of attack that exploits the trust between a user and a web application. Attackers can inject malicious code into a user’s browser to execute unauthorized actions on the user’s behalf within the web application. HPP attacks can be used to manipulate the parameters of the user’s requests to execute CSRF attacks.

• CWE-20: Improper Input Validation Improper input validation refers to vulnerabilities in web applications that allow attackers to inject malicious code into input fields, such as search boxes or login forms. HPP attacks can be used to manipulate the parameters of input fields to execute these types of attacks.

• CWE-400: Uncontrolled Resource Consumption Uncontrolled resource consumption refers to vulnerabilities in web applications that allow attackers to use up system resources, such as CPU or memory, causing denial of service (DoS) attacks. HPP attacks can be used to manipulate parameters to trigger these types of attacks.

• CWE-200: Information Exposure Information exposure refers to vulnerabilities in web applications that allow attackers to access sensitive information, such as passwords or credit card numbers. HPP attacks can be used to manipulate parameters to gain unauthorized access to this type of information.

• CWE-661: Weak Password Recovery Mechanism Weak password recovery mechanisms refer to vulnerabilities in web applications that allow attackers to bypass password reset mechanisms and gain unauthorized access to user accounts. HPP attacks can be used to manipulate parameters to exploit these types of vulnerabilities.

• CWE-311: Missing Encryption of Sensitive Data Missing encryption of sensitive data refers to vulnerabilities in web applications that transmit or store sensitive data without proper encryption, leaving it vulnerable to interception by attackers. HPP attacks can be used to manipulate parameters to intercept and access this type of data.

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm The use of broken or risky cryptographic algorithms refers to vulnerabilities in web applications that use outdated or weak encryption algorithms, making them vulnerable to attacks that can compromise the confidentiality or integrity of the data being transmitted or stored. HPP attacks can be used to manipulate parameters to exploit these types of vulnerabilities.

• CWE-285: Improper Authorization Improper authorization refers to vulnerabilities in web applications that allow attackers to access resources or execute actions that they are not authorized to access or execute. HPP attacks can be used to manipulate parameters to bypass authorization controls and gain unauthorized access to resources or execute unauthorized actions.

• CWE-532: Insertion of Sensitive Information into Debug Information Files The insertion of sensitive information into debug information files refers to vulnerabilities in web applications that include sensitive information in debug logs or other debugging output, making it vulnerable to unauthorized access. HPP attacks can be used to manipulate parameters to include sensitive information in debug logs or other debugging output, which can then be exploited by attackers.

CVES related to HTTP parameter pollution (HPP) attacks

• CVE-2009-2820 – The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product’s web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.

HTTP parameter pollution (HPP) attacks exploits

  • Access Control: HPP attacks can be used to bypass access controls and gain unauthorized access to sensitive information. For example, an attacker can modify the “user” parameter in a login request to bypass authentication and gain access to an account.

  • Injection attacks: HPP attacks can also be used to inject malicious code into a web application. For example, an attacker can modify the “search” parameter in a search request to inject SQL code and execute a SQL injection attack.

  • Cross-Site Scripting (XSS): HPP attacks can be used to inject malicious code into web pages, potentially allowing attackers to steal sensitive information or take control of user accounts. For example, an attacker can modify the “name” parameter in a comment request to inject JavaScript code and execute an XSS attack.

  • Denial of Service (DoS): HPP attacks can also be used to launch DoS attacks by overwhelming a web application with an excessive number of requests. For example, an attacker can modify the “page” parameter in a request to create an infinite loop and overload the server.

Practicing in test for HTTP parameter pollution (HPP) attacks

Understand the basics of HTTP parameter pollution: Learn about how HPP attacks work, the various types of vulnerabilities that can be exploited, and the potential impacts of these attacks.

Use a vulnerability scanner: There are many vulnerability scanners available that can help you identify HPP vulnerabilities in web applications. Some popular tools include OWASP ZAP, Burp Suite, and Nmap.

Manually test for HPP vulnerabilities: You can also manually test for HPP vulnerabilities by modifying HTTP requests and observing the response from the server. Try to modify the parameters in various ways to see if you can manipulate the behavior of the web application.

Use a proxy tool: A proxy tool can intercept and modify HTTP requests before they reach the server, making it easier to test for HPP vulnerabilities. Tools like OWASP ZAP and Burp Suite include proxy functionality.

Look for common HPP attack vectors: There are several common HPP attack vectors, such as the use of duplicate parameters, conflicting parameter values, and parameter pollution through cookies. Look for these vectors in your testing.

Learn from real-world examples: There are many examples of real-world HPP attacks that you can learn from. Analyze these attacks to understand how they were carried out and how they could have been prevented.

For study HTTP parameter pollution (HPP) attacks

OWASP HPP: OWASP (Open Web Application Security Project) is a well-known organization that provides resources and tools for web application security. OWASP HPP is a project that provides information and tools for detecting and preventing HPP attacks.

Web Application Security Testing with Burp Suite: Burp Suite is a popular web application security testing tool that includes functionality for testing for HPP vulnerabilities. The Burp Suite documentation includes a section on HPP testing.

Practical Web Application Penetration Testing: This book by Prakhar Prasad provides a comprehensive guide to web application penetration testing, including a section on HPP attacks.

HTTP Parameter Pollution: This article by Daniel Correa provides an in-depth analysis of HPP attacks, including common attack vectors and real-world examples.

Web Security Academy: The Web Security Academy by PortSwigger (the company behind Burp Suite) provides free online training courses on web application security, including a course on HPP attacks.

Penetration Testing: A Hands-On Introduction to Hacking: This book by Georgia Weidman provides an introduction to penetration testing and includes a section on HPP attacks.

Books with review of HTTP parameter pollution (HPP) attacks

Web Application Security: A Beginner’s Guide by Bryan Sullivan – This book covers the basics of web application security, including a section on HPP attacks.

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto – This comprehensive guide to web application security includes a section on HPP attacks.

Web Application Security Testing with Burp Suite by Sunny Wear – This book focuses specifically on using Burp Suite to test for web application vulnerabilities, including HPP attacks.

Practical Web Application Penetration Testing by Prakhar Prasad – This book provides a step-by-step guide to web application penetration testing, including a section on HPP attacks.

Hacker’s Guide to Project Management by James McCaffrey – While not specifically about web application security, this book includes a section on HPP attacks as an example of a security vulnerability.

Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman – This book provides an introduction to penetration testing and includes a section on HPP attacks.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz – This book focuses on using Python for penetration testing, including a section on HPP attacks.

Web Security for Developers: Real Threats, Practical Defense by Malcolm McDonald and Jason Alexander – This book provides practical guidance on web application security for developers, including a section on HPP attacks.

The Art of Exploitation by Jon Erickson – This book covers the fundamentals of computer security and includes a section on HPP attacks.

Gray Hat Hacking: The Ethical Hacker’s Handbook by Allen Harper, Daniel Regalado, and Ryan Linn – This book provides a comprehensive guide to ethical hacking, including a section on HPP attacks.

List of payloads HTTP parameter pollution (HPP) attacks

Duplicate parameters: A common HPP attack involves duplicating a parameter and setting different values for each instance. This can cause confusion for the web application and potentially result in unexpected behavior.

Conflicting parameter values: In this type of attack, conflicting values are set for a parameter, causing the web application to either take one value or the other, or to crash altogether.

Injected parameters: HPP attacks can also involve injecting new parameters into a request, causing the web application to behave in unexpected ways.

Reordering parameters: By changing the order of parameters in a request, an attacker can manipulate how the web application processes the data.

Parameter pollution through cookies: HPP attacks can also be carried out through cookies, by manipulating the values of cookies to affect the behavior of the web application.

Overriding parameters: HPP attacks can involve overriding existing parameters in a request, causing the web application to use the attacker’s value instead of the original value.

How to be protected from HTTP parameter pollution (HPP) attacks

  1. Validate and sanitize all user input: HPP attacks typically involve manipulating input parameters in unexpected ways. By validating and sanitizing all user input, you can prevent attackers from injecting malicious payloads into your web application.

  2. Use strong input validation techniques: Use strong input validation techniques, such as white-listing or regular expressions, to validate input and reject any that does not meet the expected format.

  3. Limit the number of parameters: Limit the number of parameters that your web application accepts to minimize the risk of HPP attacks.

  4. Use POST instead of GET: Use the POST method instead of the GET method for sensitive data. This will help protect your web application from HPP attacks that manipulate parameters in the URL.

  5. Implement HTTP Strict Transport Security (HSTS): HSTS is a security feature that forces web browsers to communicate with your web application only over a secure HTTPS connection, which can help protect against HPP attacks.

  6. Monitor your web application for suspicious activity: Use web application firewalls (WAFs) and intrusion detection systems (IDSs) to monitor your web application for suspicious activity and potential HPP attacks.

  7. Keep your web application up to date: Keep your web application up to date with the latest security patches and updates to ensure that any known vulnerabilities are addressed.

Mitigations for HTTP parameter pollution (HPP) attacks

  1. Input validation: Validate and sanitize all user input to ensure that it conforms to expected values and format. This will reduce the likelihood of attackers being able to manipulate parameters in unexpected ways.

  2. Parameter whitelisting: Implement a parameter whitelist to ensure that only expected parameters are accepted, while rejecting all others.

  3. Use POST instead of GET: Use the POST method instead of the GET method for sensitive data, as this will help protect your web application from HPP attacks that manipulate parameters in the URL.

  4. Parameter parsing: Implement a parameter parsing mechanism that can handle parameters in a consistent and secure manner.

  5. Request normalization: Normalize input data before processing it, which can help ensure that the input is consistent and secure.

  6. Context-aware parameter processing: Process parameters in a context-aware manner, taking into account the type of parameter and its intended use.

  7. Rate-limiting: Implement rate-limiting to prevent attackers from overwhelming your web application with a large number of requests that contain manipulated parameters.

  8. Session management: Implement session management to ensure that user sessions are secure and that user input is associated with the correct session.

Conclusion

HTTP Parameter Pollution (HPP) attacks are a type of web application vulnerability that can allow attackers to manipulate the behavior of web applications by injecting unexpected input parameters. HPP attacks can be difficult to detect and can result in a range of consequences, including data theft, denial-of-service attacks, and remote code execution.

To protect against HPP attacks, web application developers and security professionals can take a range of preventative measures, such as validating and sanitizing all user input, using strong input validation techniques, limiting the number of parameters, implementing HTTP Strict Transport Security (HSTS), and monitoring the web application for suspicious activity.

By implementing these measures and staying up to date with the latest security best practices, web application developers and security professionals can help protect their web applications against HPP attacks and other types of web application vulnerabilities.

Other Services

Ready to secure?

Let's get in touch