How to prevent http parameter pollution?
Answers
Answer:
from web applications are commonly run on the user’s computer (such as Javascript), and not just on the application’s provider server (such as Servlets). As time goes by, there is the need for web applications to provide a multitude of services to their users while at the same time being consistent with functionality, interactivity and ease of use. For this reason, even the simplest web application may possibly obtain and process a plethora of different HTTP parameters. This could result in the exposure of an extensive variety of input validation or injection vulnerabilities, such as Cross-site Scripting, SQL Injection and Command Injection, waiting to be manipulated and exploited.
These web vulnerabilities are now ordinary and there has been a lot of research around them which has helped the web application field to be more secure. Nevertheless, a vulnerability that has been around for a long time has only now begun to raise alertness in the web security world – HTTP Parameter Pollution (HPP). This vulnerability was first presented by Stefano di Paola and Luca Carettoni in 2009 at the OWASP Poland conference. The fact that this vulnerability has been around for a long time means that numerous vulnerabilities affecting or targeting real-world applications have been discovered.
HTTP Parameter Pollution (HPP) in detail
HTTP Parameter Pollution, as implied by the name, pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application.
This hacking technique is considered to be simple, but quite effective. Furthermore, the main reason this attack can be realized is because the input is not sanitized properly. HPP injects encoded query string delimiters in existing or other HTTP parameters (i.e. GET/POST/Cookie), which make it feasible to supersede parameter values that already exist to inject a new parameter or exploit variables from direct access. This attack affects all web technologies, whether running client-side or server-side.
Generally, an attacker can use HPP vulnerabilities to:
Supersede existing hardcoded HTTP parameters.
Alter or modify the intended/normal application behavior.
Access and potentially exploit variables that are not been controlled properly.
Bypass WAFs rules or input validation mechanisms.
Thus, if a web application is vulnerable to HPP attacks, the security of the web application is compromised, giving an attacker an easy way to perform malicious or illegal activities