HTTP Parameter Pollution scanner

Type: Active Scan

Risk: Informational


HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.


Properly sanitize the user input for parameter delimiters


CWE: 20

WASC: 20


Last updated: 2020-04-30 16:12:39.623Z