Skip to main content


Home HTTP parameter pollution

HTTP parameter pollution

(Also HPP)

HTTP parameter pollution definition

HTTP parameter pollution (HPP) is a web application vulnerability where an attacker manipulates or injects additional HTTP parameters into a web request, leading to security glitches and unexpected behavior, like data leaks, denial of service, or remote code execution. It happens when a web application does not properly handle or validate multiple occurrences of the same parameter within an HTTP request, allowing an attacker to exploit this vulnerability.

HPP works by exploiting the way web applications handle and process HTTP requests. Typically, a web application expects a single value for each parameter in the request. However, an attacker can manipulate the request by including multiple values for the same parameter, either by modifying the URL, query string, form data, or cookies.

See also: HTTP

Preventing the HTTP parameter pollution

  • Input validation. Implement strong input validation techniques to ensure that parameters contain expected data types and values.
  • Parameter whitelisting. Validate and restrict the parameters to only known and authorized values, preventing unexpected or malicious input.
  • Sanitization and encoding. Apply appropriate sanitization and encoding techniques to handle user input securely, preventing code injection attacks.
  • Secure coding practices. Adhere to secure coding practices (like avoiding direct parameter usage in dynamic queries and using prepared statements.)
  • Web application firewalls. Use firewalls to detect and block malicious requests that exploit parameter pollution vulnerabilities.
  • Security testing. Perform regular security assessments, including penetration testing and code reviews, to identify and fix HPP vulnerabilities.