Parameter Pollution
When searching for HPP keep in mind some servers handle parameters differently.
Take http://example.com?username=foo&username=bar as an example.
- PHP and Apache use the last username occurence.
- Tomcat uses the first occurence.
- ASP and IIS uses all occurences
A study containing all the servers can be found here: https://owasp.org/www-pdf-archive/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Social Media Share Links
Often a websites offers its user a feature to share a given page in social media. The fearture works this way: An user clicks the share button and a pop-ip page shows the message and action button that the user click uses to share content.
Amost always the original link from the site is reflected in the request.
We can use HPP to leverage this function to overwrite shared content:
- Find a page with a share feature
- Choose Twitter (as an example)
- Replace the URL from
example.com/cool-articletoexample.com/cool-article?text=;Visit https://evil.com - Load the the new URL and click the share button
- The user will now share a tweet with
<original_message>;Visit https://evil.com
Bypass WAF with HPP
Sometimes a single payload will cause WAF to be triggered, one can abuse pollution to fill a payload in different parameters.
target.com/file.asp?p=SOME&p=PAYLOAD&p=HERE
Ideas for pollution
?id=id=1
&id=1?id=2
?id['&id=1']=2
?id[1&id=2]=1
?id=1&id=2
&id=1&id=2
?id=1%26id%3D2
?id&id=1
????id=1
&&&&id=1
?id=id['1']=2
?id=1#id=2
?id==1
?id===1
;id=1?id=2
?id;id=1
&id=1;id=2
#id=1?id=2&id=3
?id=1,2
?id1,id2=1
?id[=1&id=2]=3
?id[&id=2]=1
?id=[1,2]
?id&=1
?id[]=1&id=2
?id=/:@&=+$&id=2
?id[=/:@&=+$&id=2]=1
?id={id:{id:1},2}
?id[{id:{id[]:1},2}]=3
?id=%23?id=1
?id=1%26id=2
?id=1%2526id=2
?id=1%c0%a6id=2
?id=1\uc0a6id=2
?id=1&id=2
?id=1&id=2
?id=1%u0026;id=2