Merge pull request #2002 from HackTricks-wiki/research_update_src_pentesting-web_parameter-pollution_20260314_130529

Research Update Enhanced src/pentesting-web/parameter-pollut...

Author: carlospolop

src/pentesting-web/parameter-pollution.md

@@ -3,6 +3,7 @@
 {{#include ../banners/hacktricks-training.md}}
 
 
+
 ## HTTP Parameter Pollution (HPP) Overview
 
 HTTP Parameter Pollution (HPP) is a technique where attackers manipulate HTTP parameters to change the behavior of a web application in unintended ways. This manipulation is done by adding, modifying, or duplicating HTTP parameters. The effect of these manipulations is not directly visible to the user but can significantly alter the application's functionality on the server side, with observable impacts on the client side.
@@ -50,6 +51,35 @@ The way web technologies handle duplicate HTTP parameters varies, affecting thei
 - **Flask:** Adopts the first parameter value encountered, such as `a=1` in a query string `a=1&a=2`, prioritizing the initial instance over subsequent duplicates.
 - **PHP (on Apache HTTP Server):** Contrarily, prioritizes the last parameter value, opting for `a=2` in the given example. This behavior can inadvertently facilitate HPP exploits by honoring the attacker's manipulated parameter over the original.
 
+
+### HPP Testing Notes (OWASP WSTG)
+
+- HTTP standards do not define how to interpret multiple parameters with the same name, so behavior varies across stacks and components.
+- When testing server-side HPP, duplicate each parameter in query strings or bodies and observe whether the application concatenates values, uses first/last, or errors.
+- For client-side HPP, inject a URL-encoded `&` into a reflected parameter value (e.g., `%26HPP_TEST`) and look for decoded occurrences such as `&HPP_TEST` or `&HPP_TEST` inside generated links or form actions.
+
+### Server-Side Parameter Pollution (SSPP) in Internal APIs
+
+Some applications embed user input into server-side requests to internal APIs. If that input is not properly encoded, you can inject or override parameters in the internal request. Test any user input, including query parameters, form fields, headers, and URL path parameters.
+
+Common probes:
+
+- Add a new parameter with `%26` (URL-encoded `&`).
+- Truncate the downstream query with `%23` (URL-encoded `#`).
+- Override an existing parameter by duplicating it.
+
+Example:
+
+```http
+GET /userSearch?name=peter%26name=carlos&back=/home
+```
+
+Potentially results in a server-side request like:
+
+```http
+GET /users/search?name=peter&name=carlos&publicProfile=true
+```
+
 ## Parameter pollution by technology
 
 There results were taken from [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
@@ -118,6 +148,10 @@ There results were taken from [https://medium.com/@0xAwali/http-parameter-pollut
 
 ## JSON Injection
 
+{{#ref}}
+json-xml-yaml-hacking.md
+{{#endref}}
+
 ### Duplicate keys
 
 ```ini
@@ -223,8 +257,7 @@ Which might create inconsistences
 - [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
 - [https://bishopfox.com/blog/json-interoperability-vulnerabilities](https://bishopfox.com/blog/json-interoperability-vulnerabilities)
 
+- [https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution)
+- [https://portswigger.net/web-security/api-testing/server-side-parameter-pollution](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution)
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-