What is HTTP Parameter Pollution attacks?

What is HTTP Parameter Pollution attacks?

HTTP Parameter Pollution (HPP) is a Web attack evasion technique that allows an attacker to craft a HTTP request in order to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name.

What is parameter manipulation?

Parameter tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL) or Web page form field data entered by a user are changed without that user’s authorization.

What is parameter in HTTP request?

When the GET request method is used, if a client uses the HTTP protocol on a web server to request a certain resource, the client sends the server certain GET parameters through the requested URL. These parameters are pairs of names and their corresponding values, so-called name-value pairs.

What is HTTP Verb Tampering?

HTTP Verb Tampering is an attack that exploits vulnerabilities in HTTP verb (also known as HTTP method) authentication and access control mechanisms. Many authentication mechanisms only limit access to the most common HTTP methods, thus allowing unauthorized access to restricted resources by other HTTP methods.

What are insecure HTTP methods?

This means that some of the HTTP methods considered as insecure (OPTIONS, TRACE, etc.) are enabled on your web server, allowing additional functionality which can be used by an attacker to perform further attacks. CONNECT: The attacker may use your server as proxy in order to attack any third-party applications.

What is HTTP verb tunneling?

What is it? HTTP verb tunnelling (sometime called HTTP method override) is actually hack. This is provided to solve situation where web application running behind strict-policy firewall which only allows GET and POST request.

What is tampering in cyber security?

Definition(s): An intentional but unauthorized act resulting in the modification of a system, components of systems, its intended behavior, or data.

How does HTTP parameter pollution ( HPP ) work?

HTTP Parameter Pollution (HPP) in detail. HTTP Parameter Pollution, as implied by the name, pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application. This hacking technique is considered to be simple, but quite effective.

How is HPP used for cross Channel Pollution?

HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks. When passed multiple parameters with same name, here is how backend behaves Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.

Which is an example of parameter pollution attack?

In the basic form of parameter pollution the attacker encodes his delimiter using the percent-encoding method (%FF); then depending from the application, other encoding schema like the double-encoding one (%25FF) can be adopted, or may reveal being unnecessary (ref. the Google Blogger example).

How to detect HTTP parameter pollution attacks ( acunetix )?

As seen below, an attacker creates a URL and injects another parameter ‘action’ preceded by an encoded query string delimiter (e.g. %26) after the client_id parameter. This parameter holds the value ‘delete’: