OpenSkillIndex← back to search

Hacktricks-skills parameter-pollution

How to test for HTTP Parameter Pollution (HPP), JSON injection, and parameter parsing vulnerabilities in web applications. Use this skill whenever you're testing web apps for input validation issues, parameter manipulation, duplicate parameter handling, or JSON deserialization inconsistencies. Trigger this skill for any pentesting task involving URL parameters, form fields, API requests, or JSON payloads where parameter pollution could be exploited.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/parameter-pollution/SKILL.MD
source content

Parameter Pollution Testing

This skill helps you identify and exploit HTTP Parameter Pollution (HPP) and JSON injection vulnerabilities in web applications.

Quick Start

  1. Identify the target technology (PHP, Flask, Django, Node.js, etc.)
  2. Test parameter parsing behavior using the technology-specific guide below
  3. Apply HPP techniques based on how the target handles duplicates
  4. Test for JSON injection if the application uses JSON APIs

HTTP Parameter Pollution (HPP) Testing

What is HPP?

HTTP Parameter Pollution occurs when an application processes duplicate HTTP parameters inconsistently. By adding, modifying, or duplicating parameters, you can manipulate application behavior.

Example:

Original:  https://victim.com/send/?from=accountA&to=accountB&amount=10000
Polluted:  https://victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC

The server might use 

accountC
instead of 
accountA
depending on its parameter parsing logic.

Testing Methodology

Step 1: Identify the Technology

Use tools like Wappalyzer or inspect response headers to determine:

  • Web framework (Flask, Django, Spring, Express, etc.)
  • Server (Apache, Nginx, Tomcat, etc.)
  • Language (PHP, Python, Node.js, Go, Ruby)

Step 2: Test Parameter Parsing Behavior

Send requests with duplicate parameters and observe which value the application uses:

# Test with curl
curl "https://target.com/api?param=value1&param=value2"

# Test with Burp Suite or similar proxy
GET /api?name=test1&name=test2 HTTP/1.1
Host: target.com

Step 3: Apply Technology-Specific Techniques

Refer to the Technology Reference section below for how each stack handles duplicates.

Common HPP Attack Vectors

VectorDescriptionExample
Parameter OverrideDuplicate a parameter to change its value
?user=admin&user=victim
Parameter InjectionAdd new parameters via URL encoding
?input=test%26malicious=value
Query TruncationUse 
#
to truncate downstream queries
?input=test%23
Array InjectionUse 
[]
syntax if supported
?data[]=value1&data[]=value2

Server-Side Parameter Pollution (SSPP)

Some applications embed user input into internal API requests. Test for SSPP by:

  1. Adding parameters with 
    %26
    (URL-encoded 
    &
    )
  2. Truncating queries with 
    %23
    (URL-encoded 
    #
    )
  3. Overriding existing parameters by duplicating them

Example:

GET /userSearch?name=peter%26name=carlos&back=/home

May result in internal request:

GET /users/search?name=peter&name=carlos&publicProfile=true

Client-Side HPP Testing

Inject URL-encoded 

&
into reflected parameters:

# Inject %26 (URL-encoded &)
curl "https://target.com/search?q=test%26HPP_TEST"

Look for decoded occurrences in the response:

  • &HPP_TEST
    - parameter was decoded and could be exploited
  • &HPP_TEST
    - properly escaped, likely safe

Technology Reference

PHP (Apache)

BehaviorDetails
Duplicate handlingUses last parameter value
Array syntaxRecognizes 
name[]
Null byteIgnores anything after 
%00
in parameter name
GET vs $_GET
$_GET
is not the same as GET method

Exploitation tip: Place malicious value as the last duplicate parameter.

Python Flask / Werkzeug

BehaviorDetails
Duplicate handlingUses first parameter value
Array syntaxDoes NOT recognize 
name[]

Exploitation tip: Place malicious value as the first duplicate parameter.

Python Django

BehaviorDetails
Duplicate handlingUses last parameter value
Array syntaxDoes NOT recognize 
name[]

Python Tornado

BehaviorDetails
Duplicate handlingUses last parameter value
Array syntaxDoes NOT recognize 
name[]

Node.js Express

BehaviorDetails
Duplicate handlingConcatenates values (e.g., 
first,last
)
Array syntaxRecognizes 
name[]

Exploitation tip: Use array syntax or expect comma-separated values.

Go (Standard Library)

BehaviorDetails
Duplicate handlingUses first parameter value
Array syntaxDoes NOT recognize 
name[]

Ruby WEBrick

BehaviorDetails
Duplicate handlingUses first parameter value
Array syntaxDoes NOT recognize 
name[]
DelimitersUses both 
&
and 
;
to split parameters

Spring MVC / Tomcat

BehaviorDetails
Duplicate handlingConcatenates values (e.g., 
first,last
)
Array syntaxRecognizes 
name[]
in POST requests
PriorityPrefers 
name
over 
name[]
if both exist
Content-TypeRecognizes query parameters with Content-Type in POST

JSON Injection Testing

Duplicate Keys

Different JSON parsers handle duplicate keys differently:

{"test": "user", "test": "admin"}
  • Frontend might use first value (
    user
    )
  • Backend might use last value (
    admin
    )

This inconsistency can be exploited to bypass validation.

Key Collision Techniques

Use special characters to create key collisions:

{"test": 1, "test[raw \x0d byte]": 2}
{"test": 1, "test\ud800": 2}
{"test": 1, "test"": 2}
{"test": 1, "te\st": 2}

The frontend may see 

test == 1
while the backend sees 
test == 2
.

Bypass Value Restrictions

{"role": "administrator[raw \x0d byte]"}
{"role": "administrator\ud800"}
{"role": "administrator""}
{"role": "admini\strator"}

Comment Truncation

Some JSON parsers support comments:

{"test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/}

Java GSON:

{"test": 1, "extra": "a"}

Ruby simdjson:

{"test": 2, "extra": "a", "extra2": "b"}

Float/Integer Precision Issues

Very large numbers may be decoded differently:

{"id": 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999}

May become:

  • 9.999999999999999e95
  • 1E+96
  • 0
  • 9223372036854775807
    (max int64)

Practical Testing Checklist

  • Identify target technology stack
  • Test duplicate parameter handling (first vs last vs concatenate)
  • Test array syntax (
    name[]
    )
  • Test URL-encoded parameter injection (
    %26
    )
  • Test query truncation (
    %23
    )
  • Test client-side HPP with reflected parameters
  • Test JSON duplicate keys if API uses JSON
  • Test JSON comment injection
  • Test JSON key collision with special characters
  • Test large number precision issues
  • Document findings and affected endpoints

Tools

  • Burp Suite - Intercept and modify HTTP requests
  • Wappalyzer - Identify technology stack
  • curl - Quick parameter testing
  • Custom scripts - See 
    scripts/
    directory

References