All vulnerabilities
MediumA03:2021CWE-235Injection

HTTP Parameter Pollution

Sending the same parameter twice in a request exploits inconsistent server parsing — bypassing WAFs, overriding security parameters, and altering business logic without triggering validation.

What Is HTTP Parameter Pollution?

HTTP Parameter Pollution (HPP) exploits the fact that different web technologies handle duplicate parameters differently. When a request contains id=1&id=2, Apache/PHP uses the last value, ASP.NET concatenates them, and Express.js returns an array. This inconsistency between the WAF and the application creates exploitable gaps.

How It Works

WAF Bypass via Parameter Splitting

GET /api/search?q=normal&q=UNION+SELECT+password+FROM+users HTTP/1.1

The WAF inspects q=normal (first value) and allows the request. The backend uses q=UNION SELECT password FROM users (last value).

Business Logic Override

POST /api/transfer HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
amount=100&to_account=victim&to_account=attacker

The validation checks to_account=victim (first), but the transfer executes against to_account=attacker (last).

JSON Duplicate Keys

{"role": "user", "role": "admin"}

The JSON spec says duplicate keys produce undefined behaviour. Most parsers silently take the last value — if validation checks the first, an attacker gains admin.

Real-World Impact

  • WAF evasion — split injection payloads across duplicate parameters
  • Price manipulation — override validated price with attacker-controlled value
  • Privilege escalation — inject admin role via duplicate key
  • Authentication bypass — override validated credentials

How to Fix

Reject requests with duplicate parameters:

from collections import Counter
params = Counter(request.args.keys())
duplicates = [k for k, v in params.items() if v > 1]
if duplicates:
    return jsonify({"error": f"Duplicate parameters: {duplicates}"}), 400

Use strict JSON parsers that reject duplicate keys.

Ensure WAF and application parse parameters identically.

What VibeWShield Detects

VibeWShield's HPP scanner tests every URL with query parameters by duplicating the first parameter with a canary value. It also sends JSON bodies with duplicate keys to API endpoints. Different HTTP status codes or canary reflection in the response confirms HPP is possible.

#hpp#parameter-pollution#waf-bypass#injection

Free security scan

Test your app for HTTP Parameter Pollution

VibeWShield automatically checks for HTTP Parameter Pollution and 40+ other vulnerabilities using 63 scanners — in under 3 minutes, no signup required.

Scan your app free