Explaining HTTP Parameter Pollution

Parameter Pollution is a vulnerability that allows you to edit parameters that shouldn’t be edited…

and possibly also change the order of the things

Let’s suppose we have a bank system and you can transfer for anyone and set the transfer value

  • The bank server uses PHP and to transfer the data using query strings

And when you transfer it shows a text displaying who transfer to who and the value of the transference…

The parameters parsed for the process.php file that makes the transference are :

by = lose money / to= receive money / value = the money quantity

p=1&p=2

Servers have some rules to interpret parameters, some server considers the last value ( p=2 ), other servers considers the first parameter ( p=1 ) or all the parameters like google that concatenates the parameters ( p=1 2 )

The Server Parameter Order

The server read the parameters from first to last…

consequently considering the last parameter set

the final URL in the GET request is this

process.php/?by=Hacker&to=Vitima&value=2000

we need to change the first bold parameter “by”… and to make this we can reset the parameter with a new parameter with the same name in the “to”

process.php/?by=Hacker&to=Hacker&by=Vitima&value=2000

now all the bold content is the user input in the “to” but we can close the first parameter adding the “by” resetting the first because the server considers the last parameter ;)

Victim 🤝💵 Hacker

How to prevent Parameter Pollution?

To patch the vulnerability the server need to filter the user input

Apply a encode like URL Encode in the concatenated parameters like this:

process.php/?by=Hacker&to=Hacker%26by%3DVitima&value=2000

or just not allowing input of characters like “&” or “=”

ex: the name of the transference only be alphanumeric

15y PT-BR / bug hunter and developer