Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2026-05-08 12:43:34 +02:00
Code Issues Projects Releases Wiki Activity

Merge 768bc9c037 into 3ca2ecee21

Browse source
This commit is contained in:
liuwl 2026-04-22 11:50:16 +08:00 committed by GitHub
commit c1aef9f1f8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
HTTP Parameter Pollution/README.md
View file

@ -7,7 +7,9 @@
* [Tools](#tools)
* [Methodology](#methodology)
* [Parameter Pollution Table](#parameter-pollution-table)
* [Server-Side Parameter Pollution](#server-side-parameter-pollution)
* [Parameter Pollution Payloads](#parameter-pollution-payloads)
* [Labs](#labs)
* [References](#references)
## Tools
@ -55,6 +57,19 @@ When ?par1=a&par1=b
| Python/Zope | All occurrences in array | ['a','b'] |
| Ruby on Rails | Last occurrence | b |
### Server-Side Parameter Pollution
Server-side parameter pollution can happen when an application forwards user-controlled input into a backend API query string. URL-encoded delimiters can be used to test whether the backend request is parsed differently after decoding.
```ps1
/api/search?query=test%26debug=true
/api/search?query=test%23
/reset?email=User@example.com%26email=Administrator@example.com
/profile?user=User%26user=Administrator
```
Compare the responses with and without encoded delimiters. Check whether the injected delimiter creates a new backend parameter, overrides an existing one, or truncates parameters appended by the application.
### Parameter Pollution Payloads
* Duplicate Parameters:
@ -93,6 +108,10 @@ When ?par1=a&par1=b
}
```
## Labs
* [PortSwigger Web Security Academy - Exploiting server-side parameter pollution in a query string](https://portswigger.net/web-security/api-testing/server-side-parameter-pollution/lab-exploiting-server-side-parameter-pollution-in-query-string)
## References
* [How to Detect HTTP Parameter Pollution Attacks - Acunetix - January 9, 2024](https://web.archive.org/web/20260112091623/https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/)