HTTP Parameter Pollution
- Risk:
Informational
- Type:
- Active
- CWE:
- CWE-20
- Summary
HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
- Solution
Properly sanitize the user input for parameter delimiters
Hackers exploiting critical "SessionReaper" flaw in Adobe Magento
TARmageddon flaw in abandoned Rust library enables RCE attacks
Iran-Linked MuddyWater Targets 100+ Organisations in Global Espionage Campaign
Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files
Meta launches new anti-scam tools for WhatsApp and Messenger
PhantomCaptcha ClickFix attack targets Ukraine war relief orgs
Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch
Fake Nethereum NuGet Package Used Homoglyph Trick to Steal Crypto Wallet Keys
CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability
CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability
CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability
CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability
CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability
Free online web security scanner