HPP
Definition
HTTP Parameter Pollution (HPP) is a web security vulnerability that occurs when an attacker manipulates or injects multiple HTTP parameters with the same name into a request. This can lead to unexpected behavior on the server-side, such as bypassing input validation, altering application logic, or exploiting other vulnerabilities. HPP can be particularly dangerous when combined with other vulnerabilities like SQL Injection or Cross-Site Scripting (XSS).
Secure Settings Example
# Example of a secure server-side configuration in a web application firewall (WAF)
# that prevents HTTP Parameter Pollution by rejecting duplicate parameters.
rules:
- id: 1001
description: "Block requests with duplicate parameters"
action: block
conditions:
- type: parameter
match: duplicate
Insecure Settings Example
# Example of an insecure server-side configuration that does not handle duplicate parameters,
# potentially allowing HPP attacks.
server:
allow_duplicate_parameters: true
# This setting permits multiple parameters with the same name, which can be exploited.