Status: Stable
Version: 1.0.0
Author: Rifteo
Tags: pentest, security, web
Summary
Exploit inconsistencies in how different server technologies handle duplicate HTTP parameters WAF bypasses, privilege escalation, payment manipulation, and OAuth token theft.- Phase 1 fingerprints how the target handles duplicate parameters (first-wins, last-wins, concatenation, or array) per server technology
- Phase 2 covers server-side HPP: precedence abuse, payload splitting for WAF bypass, security parameter override, and access control bypass
- Phase 3 covers client-side HPP: URL-encoded parameter injection, OAuth
redirect_uripollution, social sharing URL injection, and link injection - Phases 4–5 target WAF bypass via duplicate parameters and array syntax, plus header and JSON body pollution
- Phase 6 documents high-value attack scenarios: OAuth token theft, payment bypass, coupon stacking, privilege escalation, and SSRF via HPP
- Includes an automation script and a complete report structure
SKILL.md file
Discover skill details
Discover skill details
HPP Hunter
HTTP Parameter Pollution (HPP) exploits how different server technologies handle duplicate HTTP parameters in inconsistent ways. The same request can be interpreted differently by a WAF, a front-end proxy, and a back-end application creating bypasses, logic flaws, and privilege escalation paths.When to Use This Skill
Use this skill when the user:- Wants to test for HTTP Parameter Pollution
- Is trying to bypass a WAF with a known-blocked payload
- Sees a payment, role, or redirect parameter and wants to test override attacks
- Is testing OAuth flows for redirect_uri manipulation
What Does It Check?
In scope:- Server-side HPP: parameter precedence abuse, WAF bypass via splitting, security parameter override
- Client-side HPP: URL-encoded injection, OAuth redirect_uri pollution, link injection
- Header pollution: X-Forwarded-For, X-Original-URL, Host duplication
- JSON body pollution: duplicate keys with first-wins vs. last-wins behavior
- High-value scenarios: OAuth token theft, payment bypass, privilege escalation, SSRF
- Other vulnerability classes HPP is specifically about duplicate parameter handling
How It Works
Phase 1: Fingerprint Parameter Handling| Result | Behavior |
|---|---|
Only red | First-wins |
Only blue | Last-wins |
red,blue | Concatenation |
| Array / both visible | Array |
- PHP/Apache Last wins | ASP.NET/IIS Joined with
,| JSP/Tomcat First wins - Node.js/Express Array | Python/Flask First wins | Ruby/Rails Last wins
%26 that get reflected into links:X-Forwarded-For to bypass IP allowlists. Duplicate JSON keys to override security-critical values.Output
| Severity | Condition |
|---|---|
| Critical | OAuth redirect_uri pollution → token theft |
| High | Payment parameter override, privilege escalation |
| Medium | WAF bypass enabling previously-blocked injection |
| Low | Client-side reflected HPP with victim interaction required |
Known Limitations
- Effectiveness depends entirely on the server’s duplicate parameter handling behavior always fingerprint first
- JSON key deduplication is parser-specific; test with both orderings
- WAF bypass requires that the WAF and back-end have different parameter precedence rules
Related skills
redirect-forge
Complete open redirect detection and exploitation methodology including OAuth token theft
ssrf-hunter
Complete SSRF detection and exploitation methodology cloud metadata, internal network enumeration, and bypass techniques
xss-hunter
Complete XSS testing methodology reflected, stored, DOM-based, blind, and mutation XSS