BIPI
BIPI

HTTP Parameter Pollution: Backend Splits That Pay Out

Cybersecurity

Different stacks parse duplicate parameters differently. We map PHP, Java, .NET, Node, and Python behavior, walk through real auth bypasses, and show the gateway plus app combinations that hide the bug in plain sight.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 29, 2023 · 9 min read

#hpp#parameter-pollution#pentesting#auth-bypass#waf

Why HPP still works

HTTP allows duplicate parameters in a query string. There is no standard for what the server does. PHP returns the last value. Java Servlet returns the first via getParameter and all via getParameterValues. ASP.NET concatenates with commas. Node Express returns an array. When two layers disagree, the attacker wins.

Parsing matrix

  • PHP, last value wins for plain getParameter style access
  • Java Servlet getParameter, first value wins
  • ASP.NET Request.QueryString, comma separated concatenation
  • Node Express, array of values for duplicates
  • Python Flask request.args.get, first value wins
  • Ruby Rack, last value wins

Classic auth bypass

Gateway sees a role parameter twice, once as user, once as admin, and validates the first value as user, allowing the request. App reads the last value as admin and serves the admin endpoint. The split is between the two parsers and lives at the WAF or auth proxy boundary.

Payment manipulation

Cart endpoints often accept an amount parameter. Send it twice, once high, once one rupee. The WAF logs the high one. The pricing service sees the small one. Payment goes through at the lower amount. We have found variants of this on three regional payment providers in the last year.

Encoding tricks

Some stacks decode the percent encoded ampersand after the gateway parses. Submit an id parameter whose value contains an encoded ampersand and an admin true tail. The gateway sees one parameter id. The app decodes and sees two. Same trick with semicolons on Tomcat.

Discovery workflow

  1. List endpoints with security relevant parameters, role, amount, target, redirect
  2. Submit duplicate values, low risk one first, high risk one second, then swap
  3. Compare response bodies and side effects to infer which value was used
  4. Try mixed encoding, URL encoded ampersands, semicolons, JSON plus query string

Tooling

Burp Repeater is the workhorse. The Param Miner extension finds hidden parameters that often interact with HPP. Wapiti has an HPP module. For automated regression, write a small script that probes every form parameter with a duplicate.

Detection

  • Duplicate parameters in access logs are rare in normal traffic, alert on them
  • WAF blocks for parameter limit violations spiking from a single IP
  • Parameter values containing both safe and dangerous content separated by comma in .NET logs

Remediation

  1. Normalize parameters at the gateway, reject duplicates outright
  2. Ensure WAF and app server use the same parsing semantics, document and test
  3. Validate at the deepest layer, never trust the gateway to filter before authorization
  4. Use structured inputs, JSON over query strings, with strict schema validation
~26%
Apps where gateway and app disagree on duplicates in our tests
$2.8k
Bounty median for HPP auth bypass
If two layers parse the same request differently, the attacker just picks whichever interpretation pays.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.