AOH :: HP Unsorted H :: VA3508.HTM

HTTP Parameter Pollution
HTTP Parameter Pollution
HTTP Parameter Pollution

Hi Folks,
              during OWASP AppSec 2009 we have presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). 

Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. 
During the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts,, Yahoo! Mail Classic and many other products.

If you enjoy the web security world, you are kindly invited to have a look at: 

We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. 
Stay tuned on and 

Luca Carettoni and Stefano Di Paola

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to