HTTP Parameter Pollution
HTTP Parameter Pollution is when arbitrary values are entered in web parameters in an effort to cause an unexpected behavior. The goal of the unexpected behavior is for a client-side weakness or server-side weakness such as HTML injection or command injection.
HTTP parameters are typically managed and processed by the web application server. In a web application, testing HTTP Parameter Pollution can be as simple as incrementing a page ID number in the URL. For example, if the page URL ends with .php?id=1, you can try to change the id number to the number 2, such as .php?id=2.
Different values can be performed by changing parameters in the HTTP GET and POST requests. Injecting multiple parameters with different values will allow you to receive specific error codes. HTTP error codes can be used to determine your next course of action to perform.
1×× Informational
2×× Success
- 200 OK
- 201 Created
- 202 Accepted
- 203 Non-authoritative Information
- 204 No Content
- 205 Reset Content
- 206 Partial Content
- 207 Multi-Status
- 208 Already Reported
- 226 IM Used
3×× Redirection
- 300 Multiple Choices
- 301 Moved Permanently
- 302 Found
- 303 See Other
- 304 Not Modified
- 305 Use Proxy
- 307 Temporary Redirect
- 308 Permanent Redirect
4×× Client Error
- 400 Bad Request
- 401 Unauthorized
- 402 Payment Required
- 403 Forbidden
- 404 Not Found
- 405 Method Not Allowed
- 406 Not Acceptable
- 407 Proxy Authentication Required
- 408 Request Timeout
- 409 Conflict
- 410 Gone
- 411 Length Required
- 412 Precondition Failed
- 413 Payload Too Large
- 414 Request-URI Too Long
- 415 Unsupported Media Type
- 416 Requested Range Not Satisfiable
- 417 Expectation Failed
- 418 I’m a teapot
- 421 Misdirected Request
- 422 Unprocessable Entity
- 423 Locked
- 424 Failed Dependency
- 426 Upgrade Required
- 428 Precondition Required
- 429 Too Many Requests
- 431 Request Header Fields Too Large
- 444 Connection Closed Without Response
- 451 Unavailable For Legal Reasons
- 499 Client Closed Request
