Client-Side HTTP Parameter Pollution is a client-side security vulnerability in web applications designed to use HTTP requests. HTTP parameter pollution exploits the ability of HTTP methods such as POST, PUT and DELETE to send additional data with a request. This allows attackers to inject arbitrary HTML code which will be processed by the vulnerable application as part of its normal operation. The vulnerability specifically targets web frameworks that facilitate the development of SPAs (Single Page Applications) where content can be dynamically generated before page rendering or in response to user actions.
Factors Affecting Attack:
- These conditions make the attack difficult to exploit but do not prevent it from occurring. Attackers may take advantage of the inter-view prediction of some video codecs (such as H.264) in order to send as much malicious data as possible within a video frame without being detected by the transport layer.
- This vulnerability should not be confused with HTTP Response Splitting, which is a related server-side vulnerability affecting servers that pass additional information via the Status-Line in HTTP responses.
Countermeasures:
- Because the intentions and objective of the attacker are to send malicious data, a countermeasure should prevent the body of an HTTP request to be placed in a different request.
- A common response to Client-Side HTTP Parameter Pollution is “URL encoding”. It consists of escaping all HTML entities before performing any parameter replacement on the resulting string.
- However, this can be a performance bottleneck, especially when the application generates a large amount of dynamically generated content.
- An alternative approach is “HTTP response splitting”, which results in two HTTP responses: one for the “normal” browser rendering, and one for all other requests.
Conclusion:
A new, fine-grained parameter parsing function should be implemented in web frameworks. The following properties should be checked, in order to avoid all possible attacks. So far, no reported or published exploits take advantage of this kind of attack. Moreover, no reports about this vulnerability have been found in the wild.HTTP Parameter Pollution seems to be an innovative attack that uses some side-channel information from video formats (in particular H.264) in order to bypass application filters and authorization mechanisms. Moreover, its exploitation is not trivial and not easy; however, it is possible.