HPP (HTTP Parameter Pollution) is an attack method that appears in different contexts and that usually applies in the context of HPI (HTTP Parameter injection) attacks. The HTTP specifications provide no guidelines as to how web servers should perform when a request contains multiple parameters with the same name. In practice, different web servers perform in different ways.
Here are some common behaviors:
– Use the first instance of the parameter.
– Use the last instance of the parameter.
– Concatenate the parameter values, maybe adding a separator between them.
– Construct an array containing all the supplied values.
The attacker or the hacker could add a new parameter to the back-end request. In fact, it is more likely in practice that the request into which the attacker can inject already includes a parameter with the name he is targeting. In this situation, the attacker can use the HPI (HTTP Parameter injection) situation to inject a second instance of the same parameter. The resulting application behavior then depends on how the back-end HTTP server manages the duplicated parameter.
The hacker may be able to use the HTTP Parameter Pollution method to “override” the value of the original parameter with the value of his injected parameter.