Open In App

Client-Side HTTP Parameter Pollution Attack

Last Updated : 13 Oct, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

Client-Side HTTP Parameter Pollution is a client-side security vulnerability in web applications designed to use HTTP requests. HTTP parameter pollution exploits the ability of HTTP methods such as POST, PUT and DELETE to send additional data with a request. This allows attackers to inject arbitrary HTML code which will be processed by the vulnerable application as part of its normal operation. The vulnerability specifically targets web frameworks that facilitate the development of SPAs (Single Page Applications) where content can be dynamically generated before page rendering or in response to user actions.

Client Side HTTP Parameter Pollution

 

Factors Affecting Attack:

  • These conditions make the attack difficult to exploit but do not prevent it from occurring. Attackers may take advantage of the inter-view prediction of some video codecs (such as H.264) in order to send as much malicious data as possible within a video frame without being detected by the transport layer.
  • This vulnerability should not be confused with HTTP Response Splitting, which is a related server-side vulnerability affecting servers that pass additional information via the Status-Line in HTTP responses.

Countermeasures: 

  • Because the intentions and objective of the attacker are to send malicious data, a countermeasure should prevent the body of an HTTP request to be placed in a different request.
  • A common response to Client-Side HTTP Parameter Pollution is “URL encoding”. It consists of escaping all HTML entities before performing any parameter replacement on the resulting string. 
  • However, this can be a performance bottleneck, especially when the application generates a large amount of dynamically generated content.
  • An alternative approach is “HTTP response splitting”, which results in two HTTP responses: one for the “normal” browser rendering, and one for all other requests.

Conclusion: 

A new, fine-grained parameter parsing function should be implemented in web frameworks. The following properties should be checked, in order to avoid all possible attacks. So far, no reported or published exploits take advantage of this kind of attack. Moreover, no reports about this vulnerability have been found in the wild.HTTP Parameter Pollution seems to be an innovative attack that uses some side-channel information from video formats (in particular H.264) in order to bypass application filters and authorization mechanisms. Moreover, its exploitation is not trivial and not easy; however, it is possible.


Like Article
Suggest improvement
Next
What is Connection String Parameter Pollution?
Share your thoughts in the comments

Similar Reads

What is Connection String Parameter Pollution?
Web Parameter Tampering Attack on Web Servers
Types of Client-Side Attacks
HTTP Flood Attack
What is Bitvise SSH Client?
Man-in-the-Browser Attack
What is a Default Password Attack Threat?
What is Attack Surface?
What is Codebook Attack?
What is Sniffing Attack in System Hacking?

S
sarithak5br5
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox