User Poll

  Back

User Poll

Validation Error: HTTP Parameter Pollution Detected. Vote cannot be trusted.
Choose Your Favorite Security Tool
Initial your choice to make your vote count
nmap   wireshark   tcpdump   netcat   metasploit   kismet   Cain   Ettercap   Paros   Burp Suite   Sysinternals   inSIDDer
Your Initials:
No choice selected

Hints

HTTP Parameter Pollution involves sending in duplicate parameters in order to take advantage of how the application server reacts to parsing multiple parameters with the same name. Each brand of web application server acts a little different when two or more parameters with the same name are submitted. This page implements "GET for POST" to make this exercise easier

 

HTTP Parameter Pollution Tutorial

HTTP Parameter Pollution occurs when multiple parameters with the same name are sent to a web page. The web server may exhibit odd behavior and process the request despite having multiple parameters with the same name. There is nothing in the HTTP protocol that forbids passing multiple parameters with the same name. Web application servers will sometimes take the first parameter, the second parameter, or concatenate both together. This can allow an attacker to poison the input.

The first step to HTTP Parameter Pollution is to locate all parameters, then duplicate and see how the web server reacts. Try sending in two of the "choice" parameter. Note carefully which of the two PHP processes.

Change the value of the submit button. Add "&choice=something" to the current value. This will create a second "choice" parameter in the GET. Note which choice parameter is actually processed. Is it the correct parameter or the injected parameter?

Change the value of the hidden parameter which comes before the real "choice" parameter. Add "&choice=something" to the current value. This will create a second "choice" parameter in the GET. Note which choice parameter is actually processed. Is it the correct parameter or the injected parameter?