CAPEC-460

HTTP Parameter Pollution (HPP)
Moyen
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Gestion des notifications

Descriptions du CAPEC

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

Informations du CAPEC

Flux d'exécution

1) Explore

[Find User Input] The adversary finds anywhere in the web application that uses user-supplied input in a form or action. This can also be found by looking at parameters in the URL in the navigation bar of the browser

2) Experiment

[Add Duplicate Parameter Values] Once the adversary has identified what user input is used as HTTP parameters, they will add duplicates to each parameter one by one to observe the results. If the response from the HTTP request shows the duplicate parameter value concatenated with the original parameter value in some way, or simply just the duplicate parameter value, then HPP is possible.

Technique
  • In the URL, add a duplicate parameter by using the "&" delimiter. For example "par1=val1" becomes "par1=val1&par1=val2". Depending on the backend API, this could be treated as "par1=val1, val2", which could lead to par1 being set to val2, ignoring val1.
  • If the request is created based on user input directly on the page, the adversary will test by adding an encoded delimiter to the input. For example, the adverary might supply "1000%26action=withdraw" and the backend might interpret a POST request with the paramters "action=deposit&amount=1000&action=withdraw"
3) Exploit

[Leverage HPP] Once the adversary has identified how the backend handles duplicate parameters, they will leverage this by polluting the paramters in a way that benefits them. In some cases, hardcoded parameters will be disregarded by the backend. In others, the adversary can bypass a WAF that might only check a parameter before it has been concatenated by the backend, resulting in malicious queries getting through.

Conditions préalables

HTTP protocol is used with some GET/POST parameters passed

Ressources nécessaires

Any tool that enables intercepting and tampering with HTTP requests

Atténuations

Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests
Design: Perform URL encoding
Implementation: Use strict regular expressions in URL rewriting
Implementation: Beware of multiple occurrences of a parameter in a Query String

Faiblesses connexes

CWE-ID Nom de la faiblesse

CWE-88

 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

CWE-147

 Improper Neutralization of Input Terminators
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.

CWE-235

 Improper Handling of Extra Parameters
The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

Références

REF-397

HTTP Parameter Pollution
Luca Carettoni, Stefano di Paola.
https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

REF-606

OWASP Web Security Testing Guide
https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution.html

Soumission

Nom Organisation Date Date de publication
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Nom Organisation Date Commentaire
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Mitigations, References, Taxonomy_Mappings
CAPEC Content Team The MITRE Corporation 2021-10-21 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Execution_Flow
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.