Detailedseverity: MediumDraft

CAPEC-460HTTP Parameter Pollution (HPP)

Abstraction
Detailed
Status
Draft
Severity
Medium

Description

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

Related weaknesses· 3

CWE-88CWE-147CWE-235

Related attack patterns· 2

CAPEC-15 (ChildOf)CAPEC-676 (CanPrecede)

Exploits3

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input Terminatorscwe-147100%live
WeaknessImproper Handling of Extra Parameterscwe-235100%live
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-88100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Parameter Injection
CAPEC
XSS Through HTTP Query Strings
CAPEC
XSS Through HTTP Headers
CAPEC
Command Injection
CAPEC
Resource Injection
CAPEC
Web Services Protocol Manipulation
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.