performing-http-parameter-pollution-attack

# Performing HTTP Parameter Pollution Attack ## When to Use - When testing web applications for input validation bypass vulnerabilities - During WAF evasion testing to split attack payloads across duplicate parameters - When assessing how different technology stacks handle duplicate HTTP parameters - During API security testing to identify parameter precedence issues - When testing OAuth or payment processing flows for parameter manipulation ## Prerequisites - Burp Suite Professional with Intruder and Repeater modules - Understanding of HTTP protocol and query string parsing - Knowledge of server-side parameter handling differences (first, last, array, concatenated) - cURL or httpie for manual parameter crafting - Target application technology stack identification (Apache, IIS, Tomcat, Node.js, etc.) > **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws. ## Workflow ### Step 1 — Identify Parameter Handling Behavior ```bash # Test how the server handles duplicate parameters # Different servers process duplicates differently: # Apache/PHP: Last parameter value # ASP.NET/IIS: All values concatenated with comma # JSP/Tomcat: First parameter value # Node.js/Express: Array of values # Python/Flask: First parameter value curl -v "http://target.com/search?q=first&q=second" # Observe which value the applicat...