To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

HTTP parameter pollution

From Wikipedia, the free encyclopedia

HTTP
Request methods
Header fields
Response status codes
Security access control methods
Security vulnerabilities

HTTP Parameter Pollution (HPP) is a web application vulnerability exploited by injecting encoded query string delimiters in already existing parameters. The vulnerability occurs if user input is not correctly encoded for output by a web application.[1] This vulnerability allows the injection of parameters into web application-created URLs. It was first brought forth to the public in 2009 by Stefano di Paola and Luca Carettoni, in the conference OWASP EU09 Poland.[1] The impact of such vulnerability varies, and it can range from "simple annoyance" to complete disruption of the intended behavior of a web application. Overriding HTTP parameters to alter a web application's behavior, bypassing input and access validation checkpoints, as well as other indirect vulnerabilities, are possible consequences of a HPP attack.[1]

There is no RFC standard on what should be done when it has passed multiple parameters. HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]

Behaviour

When they are passed multiple parameters with the same name, here is how various back ends behave.[3]

Behaviour when "param" is passed the values "val1" & "val2"
Technology Parsing result Example
ASP.NET/IIS All occurrences concatenated with a comma param=val1,val2
ASP/IIS All occurrences concatenated with a comma param=val1,val2
PHP/Apache Last occurrence only param=val2
PHP/Zeus Last occurrence only param=val2
JSP, Servlet/Apache Tomcat First occurrence only param=val1
JSP, Servlet/Oracle Application Server First occurrence only param=val1
JSP, Servlet/Jetty First occurrence only param=val1
IBM Lotus Domino Last occurrence only param=val2
IBM HTTP Server First occurrence only param=val1
mod_perl,libapreq2/Apache First occurrence only param=val1
Perl CGI/Apache First occurrence only param=val1
mod_wsgi (Python)/Apache First occurrence only param=val1
Python/Zope All occurrences in list(array) param=['val1','val2']

Types

Client-side

  • First Order / Reflected HPP[4]
  • Second Order / Stored HPP[4]
  • Third Order / DOM HPP[4]

Server-side

  • Standard HPP[4]
  • Second Order HPP[4]

Prevention

Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[5]

See also

References

  1. ^ a b c Balduzzi et al. 2011, p. 2.
  2. ^ "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
  3. ^ "WSTG - Latest:Testing for HTTP Parameter Pollution".
  4. ^ a b c d e Luca Carettoni; Stefano Di Paola. "HTTP Parameter Pollution" (PDF).
  5. ^ "How to Detect HTTP Parameter Pollution Attacks".

Bibliography

Stub icon

This World Wide Web–related article is a stub. You can help Wikipedia by expanding it.

This page was last edited on 5 September 2023, at 16:44
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy