HTTP Parameter Pollution (HPP) abuses the fact that different components handle duplicate parameters differently. Send id=1&id=2 and one layer might read the first value, another the last, and a third might join them. When a security check and the business logic disagree on which value counts, you get filter bypass, WAF evasion, or logic flaws.
- HTTP does not define what to do with repeated parameters
- Each stack picks its own rule (first, last, all-concatenated, or array)
- A front-end validates one value while the back-end acts on another
# Duplicate parameters - watch which value wins
GET /transfer?amount=100&amount=99999 HTTP/1.1
# Bypass a filter that only checks the first value
GET /search?q=safe&q=<script>alert(1)</script> HTTP/1.1
# Split a blocked payload across duplicates (concatenating stacks)
GET /x?p=UNION&p=SELECT HTTP/1.1Common parsing behavior:
PHP / Apache -> last value
ASP.NET / IIS -> comma-joined ("1,2")
JSP / Tomcat -> first value
Node.js (express) -> array ["1","2"]
- Burp Suite Repeater - flip parameter order and observe
- param-miner - discover hidden/duplicated params
- Duplicate a sensitive parameter with two different values
- Note which value the response acts on (first, last, or joined)
- Where a WAF or client-side check exists, put the clean value where it looks and the payload where the app reads
- Test both query string and POST body, and mixed sources
- Normalize input: reject or explicitly handle duplicate parameters
- Read parameters from one source consistently, server-side
- Keep the validating layer and the consuming layer on the same parsing rules
- Do not trust WAF-only filtering for injection classes
- CWE-235: Improper Handling of Extra Parameters