This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Testing for HTTP Parameter pollution (OTG-INPVAL-004)
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Brief Summary
Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors, or modify internal variables values.
Description of the Issue
Current HTTP standards do not include guidance on how to interpret multiple input parameters with the same name. Without a standard in place, web applications handle this edge case in a variety of ways (see the table below for details). It is not necessarily an indication of vulnerability when an application server responds to multiple similar parameters; this is expected behavior for handling an unusual input. The vulnerability depends if an one can abuse the concatenation or substitution of variable values to cause errors or bypass validation.
Web Application Server Backend | Parsing Result | Example |
---|---|---|
ASP.NET / IIS | All occurrences concatenated with a comma | color=red,blue |
ASP / IIS | All occurrences concatenated with a comma | color=red,blue |
PHP / Apache | Last occurrence only | color=blue |
PHP / Zeus | Last occurrence only | color=blue |
JSP, Servlet / Apache Tomcat | First occurrence only | color=red |
JSP, Servlet / Oracle Application Server 10g | First occurrence only | color=red |
JSP, Servlet / Jetty | First occurrence only | color=red |
IBM Lotus Domino | Last occurrence only | color=blue |
IBM HTTP Server | First occurrence only | color=red |
mod_perl, libapreq2 / Apache | First occurrence only | color=red |
Perl CGI / Apache | First occurrence only | color=red |
mod_wsgi (Python) / Apache | First occurrence only | color=red |
Python / Zope | All occurrences in List data type | color=['red','blue'] |
(source: Media:AppsecEU09_CarettoniDiPaola_v0.8.pdf
Black Box testing and example
Testing for Topic X vulnerabilities:
...
Result Expected:
...
References
Whitepapers
...
Tools
...