Let’s take a look at more parameter testing. Meet Reflected HTTP Parameter Pollution. HPP is an injection weakness vulnerability that occurs when an attacker can inject a delimiter and change the parameters or a value in a URL. Often HPP vulnerabilities are used to cause the original parameter value (from a name-value pair) to be cancelled out and a different value to be injected (e.g. changing a ‘SAVE’ function to a ‘DELETE’ function). Check it out!

In this example, we are injecting a delimiter into the switchMenuID parameter:

GET /landingpage.php?switchMenuId=1%26rhppvar%3DRHPP1234 HTTP/1.1
Referer: httphacker.com/landingpage.php
Accept: /
Pragma: no-cache
User-Agent: Mozilla/5.0 Gecko/20110614 Firefox/3.6.18
Connection: Keep-Alive

The injection occurs and now poses as a threat to anyone who executes the Menu Item links:

HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 4 Mar 2014 17:22:30 GMT
Content-Length: 87314

a href=”?tabId=1&switchMenuId=1&rhppvar=RHPP1234“>Menu Item 1
a href=”?tabId=2&switchMenuId=1&rhppvar=RHPP1234“>Menu Item 2
a href=”?tabId=3&switchMenuId=1&rhppvar=RHPP1234“>Menu Item 3
a href=”?tabId=4&switchMenuId=1&rhppvar=RHPP1234“>Menu Item 4
a href=”?tabId=5&switchMenuId=1&rhppvar=RHPP1234“>Menu Item 5

To mitigate this specific vulnerability, you need to utilize strict input validation to ensure that the encoded parameter delimiter (%26 in this example) is handled by the server properly. Always use proper URL encoding including user-supplied content within the links or other forms of output. To look at HPP vulnerabilities a bit further, my next couple of blogs will focus on Client-side HTML Parameter Pollution and CSRF Attacks via HPP. Protect those params!