{"id":477500,"date":"2023-08-09T09:15:57","date_gmt":"2023-08-09T09:15:57","guid":{"rendered":""},"modified":"2023-09-05T11:14:50","modified_gmt":"2023-09-05T11:14:50","slug":"http-parameter-pollution","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/cn\/wiki\/http-parameter-pollution\/","title":{"rendered":"HTTP \u53c2\u6570\u6c61\u67d3"},"content":{"rendered":"

HTTP \u53c2\u6570\u6c61\u67d3 (HPP) \u662f\u4e00\u79cd\u7ecf\u5e38\u88ab\u5ffd\u89c6\u7684\u7f51\u7edc\u5b89\u5168\u6f0f\u6d1e\uff0c\u4e3b\u8981\u901a\u8fc7\u64cd\u7eb5\u901a\u8fc7 HTTP \u8bf7\u6c42\u53d1\u9001\u7684\u6570\u636e\u6765\u5f71\u54cd Web \u5e94\u7528\u7a0b\u5e8f\u3002\u672c\u6587\u6df1\u5165\u63a2\u8ba8\u4e86 HPP \u7684\u5386\u53f2\u3001\u64cd\u4f5c\u548c\u4e3b\u8981\u529f\u80fd\uff0c\u4ee5\u53ca\u5b83\u7684\u5404\u79cd\u7c7b\u578b\u3001\u6f5c\u5728\u7528\u9014\u4ee5\u53ca\u76f8\u5173\u95ee\u9898\u548c\u89e3\u51b3\u65b9\u6848\u3002\u672c\u6587\u8fd8\u63a2\u8ba8\u4e86 HPP \u4e0e\u4ee3\u7406\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u8054\u7cfb\uff0c\u4ee5\u53ca\u4e0e\u8fd9\u79cd\u57fa\u4e8e Web \u7684\u73b0\u8c61\u76f8\u5173\u7684\u672a\u6765\u524d\u666f\u3002<\/p>\n

HTTP \u53c2\u6570\u6c61\u67d3\u7684\u6f14\u53d8<\/h2>\n

HTTP \u53c2\u6570\u6c61\u67d3\u6700\u65e9\u5728 2000 \u5e74\u4ee3\u521d\u671f\u88ab\u53d1\u73b0\u4e3a\u4e00\u79cd\u72ec\u7279\u7684 Web \u5e94\u7528\u7a0b\u5e8f\u6f0f\u6d1e\uff0c\u5f53\u65f6 Web \u6280\u672f\u53d1\u5c55\u8fc5\u901f\uff0c\u4e07\u7ef4\u7f51\u4e0d\u65ad\u6269\u5c55\u3002\u968f\u7740\u7f51\u7ad9\u5f00\u59cb\u8d8a\u6765\u8d8a\u4f9d\u8d56 HTTP GET \u548c POST \u8bf7\u6c42\u6765\u4f20\u8f93\u6570\u636e\uff0c\u9ed1\u5ba2\u53d1\u73b0\u4e86\u5229\u7528\u8fd9\u4e9b\u8bf7\u6c42\u5904\u7406\u53c2\u6570\u7684\u65b9\u5f0f\u7684\u6f5c\u529b\u3002<\/p>\n

\u9996\u6b21\u6709\u8bb0\u5f55\u63d0\u53ca HPP \u53ef\u4ee5\u8ffd\u6eaf\u5230 21 \u4e16\u7eaa\uff0c\u4f46\u8be5\u672f\u8bed\u672c\u8eab\u662f\u5728 2010 \u5e74 OWASP\uff08\u5f00\u653e\u5f0f Web \u5e94\u7528\u7a0b\u5e8f\u5b89\u5168\u9879\u76ee\uff09\u53d1\u5e03\u4e00\u7bc7\u8bba\u6587\u540e\u624d\u5f97\u5230\u7f51\u7edc\u5b89\u5168\u793e\u533a\u7684\u6b63\u5f0f\u8ba4\u53ef\uff0c\u4ece\u800c\u4f7f\u8be5\u6f0f\u6d1e\u6210\u4e3a\u4eba\u4eec\u5173\u6ce8\u7684\u7126\u70b9\u3002<\/p>\n

\u89e3\u6790 HTTP \u53c2\u6570\u6c61\u67d3<\/h2>\n

HTTP \u53c2\u6570\u6c61\u67d3\u662f\u4e00\u79cd\u7f51\u7edc\u6f0f\u6d1e\uff0c\u6d89\u53ca\u5c06\u64cd\u7eb5\u7684\u53c2\u6570\u6ce8\u5165 HTTP \u8bf7\u6c42\u3002\u8fd9\u53ef\u80fd\u4f1a\u8ba9\u653b\u51fb\u8005\u6539\u53d8\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u7684\u8fd0\u884c\u65b9\u5f0f\u3001\u7ed5\u8fc7\u8f93\u5165\u9a8c\u8bc1\u68c0\u67e5\u3001\u8bbf\u95ee\u654f\u611f\u6570\u636e\u5e76\u8fdb\u884c\u5176\u4ed6\u5f62\u5f0f\u7684\u7f51\u7edc\u653b\u51fb\u3002<\/p>\n

HPP \u662f\u6307 Web \u5e94\u7528\u7a0b\u5e8f\u5c06 HTTP \u8bf7\u6c42\u4e2d\u4e0d\u540c\u90e8\u5206\u540c\u540d\u7684 HTTP \u53c2\u6570\u7ec4\u5408\u6210\u4e00\u4e2a\u53c2\u6570\u3002\u901a\u8fc7\u64cd\u7eb5\u8fd9\u4e9b\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4ee5\u610f\u60f3\u4e0d\u5230\u7684\u65b9\u5f0f\u63a7\u5236\u5e94\u7528\u7a0b\u5e8f\u7684\u884c\u4e3a\uff0c\u4ece\u800c\u5e26\u6765\u5404\u79cd\u6f5c\u5728\u7684\u5b89\u5168\u98ce\u9669\u3002<\/p>\n

HTTP \u53c2\u6570\u6c61\u67d3\u7684\u673a\u5236<\/h2>\n

HPP \u7684\u5185\u90e8\u5de5\u4f5c\u539f\u7406\u6839\u690d\u4e8e Web \u5e94\u7528\u7a0b\u5e8f\u5904\u7406 HTTP \u8bf7\u6c42\u7684\u65b9\u5f0f\u3002\u5728 HTTP \u8bf7\u6c42\u4e2d\uff0c\u53c2\u6570\u4f5c\u4e3a GET \u8bf7\u6c42\u4e2d\u7684 URL \u7684\u4e00\u90e8\u5206\u6216\u5728 POST \u8bf7\u6c42\u7684\u6b63\u6587\u4e2d\u53d1\u9001\u3002\u8fd9\u4e9b\u53c2\u6570\u53ef\u7528\u4e8e\u6307\u5b9a Web \u5e94\u7528\u7a0b\u5e8f\u5e94\u8fd4\u56de\u6216\u64cd\u4f5c\u7684\u6570\u636e\u3002<\/p>\n

\u5f53\u5411 Web \u5e94\u7528\u7a0b\u5e8f\u53d1\u51fa HTTP \u8bf7\u6c42\u65f6\uff0c\u5e94\u7528\u7a0b\u5e8f\u7684\u670d\u52a1\u5668\u4f1a\u5904\u7406\u8bf7\u6c42\u4e2d\u5305\u542b\u7684\u53c2\u6570\u3002\u4f46\u662f\uff0c\u5982\u679c\u5e94\u7528\u7a0b\u5e8f\u65e0\u6cd5\u6b63\u786e\u5904\u7406\u591a\u6b21\u5305\u542b\u76f8\u540c\u53c2\u6570\u7684\u60c5\u51b5\uff0c\u5c31\u4f1a\u4e3a HPP \u653b\u51fb\u521b\u9020\u673a\u4f1a\u3002<\/p>\n

\u5728 HPP \u653b\u51fb\u4e2d\uff0c\u653b\u51fb\u8005\u5728 HTTP \u8bf7\u6c42\u4e2d\u591a\u6b21\u5305\u542b\u76f8\u540c\u7684\u53c2\u6570\uff0c\u6bcf\u6b21\u5305\u542b\u4e0d\u540c\u7684\u503c\u3002\u7136\u540e\uff0c\u5e94\u7528\u670d\u52a1\u5668\u4ee5\u5f00\u53d1\u4eba\u5458\u672a\u9884\u671f\u7684\u65b9\u5f0f\u7ec4\u5408\u8fd9\u4e9b\u503c\uff0c\u4ece\u800c\u5bfc\u81f4\u6f5c\u5728\u7684\u5b89\u5168\u6f0f\u6d1e\u3002<\/p>\n

HTTP \u53c2\u6570\u6c61\u67d3\u7684\u4e3b\u8981\u7279\u5f81<\/h2>\n

HTTP \u53c2\u6570\u6c61\u67d3\u6709\u51e0\u4e2a\u660e\u786e\u7279\u5f81\u4e0e\u5176\u4ed6 Web \u6f0f\u6d1e\u533a\u5206\u5f00\u6765\uff1a<\/p>\n

    \n
  1. \u5b9a\u4f4d HTTP \u8bf7\u6c42\uff1a<\/strong> HPP \u4e13\u95e8\u9488\u5bf9 HTTP GET \u548c POST \u8bf7\u6c42\u4e2d\u7684\u53c2\u6570\u3002<\/li>\n
  2. \u53c2\u6570\u64cd\u4f5c\uff1a<\/strong> HPP \u653b\u51fb\u7684\u6838\u5fc3\u6d89\u53ca\u64cd\u7eb5\u8fd9\u4e9b\u53c2\u6570\u7684\u503c\u3002<\/li>\n
  3. \u53d6\u51b3\u4e8e\u5e94\u7528\u7a0b\u5e8f\u884c\u4e3a\uff1a<\/strong> HPP \u653b\u51fb\u7684\u5f71\u54cd\u5728\u5f88\u5927\u7a0b\u5ea6\u4e0a\u53d6\u51b3\u4e8e\u76ee\u6807 Web \u5e94\u7528\u7a0b\u5e8f\u5982\u4f55\u5904\u7406 HTTP \u8bf7\u6c42\u4e2d\u7684\u91cd\u590d\u53c2\u6570\u3002<\/li>\n
  4. \u53ef\u80fd\u4ea7\u751f\u7684\u5e7f\u6cdb\u5f71\u54cd\uff1a<\/strong> \u7531\u4e8e HPP \u53ef\u80fd\u4f1a\u5f71\u54cd\u4efb\u4f55\u4e0d\u80fd\u6b63\u786e\u5904\u7406\u91cd\u590d HTTP \u53c2\u6570\u7684 Web \u5e94\u7528\u7a0b\u5e8f\uff0c\u56e0\u6b64\u5176\u5f71\u54cd\u7684\u53ef\u80fd\u6027\u975e\u5e38\u5e7f\u6cdb\u3002<\/li>\n
  5. \u9690\u79d8\u7684\u65b9\u6cd5\uff1a<\/strong> HPP \u653b\u51fb\u5f88\u96be\u88ab\u53d1\u73b0\uff0c\u56e0\u4e3a\u5b83\u4eec\u53ef\u4ee5\u4f2a\u88c5\u6210\u5408\u6cd5\u7684\u7528\u6237\u8f93\u5165\u3002<\/li>\n<\/ol>\n

    HTTP \u53c2\u6570\u6c61\u67d3\u7684\u7c7b\u578b<\/h2>\n

    \u6839\u636e\u6240\u4f7f\u7528\u7684 HTTP \u65b9\u6cd5\uff0cHTTP \u53c2\u6570\u6c61\u67d3\u4e3b\u8981\u6709\u4e24\u79cd\u7c7b\u578b\uff1a<\/p>\n

      \n
    1. \u57fa\u4e8eGET\u7684HPP\uff1a<\/strong> \u8fd9\u79cd\u7c7b\u578b\u7684 HPP \u653b\u51fb\u4f1a\u64cd\u7eb5 HTTP GET \u8bf7\u6c42\u7684 URL \u4e2d\u7684\u53c2\u6570\u3002<\/li>\n
    2. \u57fa\u4e8e POST \u7684 HPP\uff1a<\/strong> \u8fd9\u79cd\u7c7b\u578b\u7684 HPP \u653b\u51fb\u4f1a\u64cd\u7eb5 HTTP POST \u8bf7\u6c42\u6b63\u6587\u4e2d\u7684\u53c2\u6570\u3002<\/li>\n<\/ol>\n\n\n\n\n\n\n
      HTTP \u65b9\u6cd5<\/th>\n\u63cf\u8ff0<\/th>\n\u6f5c\u5728\u5f71\u54cd<\/th>\n<\/tr>\n<\/thead>\n
      \u5f97\u5230<\/td>\n\u53c2\u6570\u9644\u52a0\u5728 URL \u4e2d\u5e76\u4e14\u5bf9\u7528\u6237\u53ef\u89c1\u3002<\/td>\n\u53ef\u4ee5\u64cd\u7eb5\u670d\u52a1\u5668\u7684\u54cd\u5e94\u6216 Web \u5e94\u7528\u7a0b\u5e8f\u7684\u884c\u4e3a<\/td>\n<\/tr>\n
      \u90ae\u653f<\/td>\n\u53c2\u6570\u5305\u542b\u5728 HTTP \u8bf7\u6c42\u7684\u4e3b\u4f53\u4e2d\u5e76\u4e14\u662f\u9690\u85cf\u7684\u3002<\/td>\n\u53ef\u4ee5\u6539\u53d8\u670d\u52a1\u5668\u7684\u72b6\u6001\u53ca\u5176\u5b58\u50a8\u7684\u4fe1\u606f<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      \u5b9e\u73b0HTTP\u53c2\u6570\u6c61\u67d3\uff1a\u95ee\u9898\u53ca\u89e3\u51b3\u65b9\u6848<\/h2>\n

      \u5c3d\u7ba1 HPP \u653b\u51fb\u5177\u6709\u9690\u79d8\u6027\uff0c\u4f46\u4ecd\u6709\u65b9\u6cd5\u53ef\u4ee5\u68c0\u6d4b\u548c\u51cf\u8f7b\u5176\u5e26\u6765\u7684\u98ce\u9669\u3002\u5927\u591a\u6570\u65b9\u6cd5\u6d89\u53ca\u6b63\u786e\u5904\u7406\u548c\u6e05\u7406\u8f93\u5165\uff0c\u5c24\u5176\u662f\u9488\u5bf9 HTTP \u53c2\u6570\u7684\u8f93\u5165\uff1a<\/p>\n

        \n
      1. \u9a8c\u8bc1\u8f93\u5165\uff1a<\/strong> Web \u5e94\u7528\u7a0b\u5e8f\u5e94\u8be5\u9a8c\u8bc1\u6240\u6709\u8f93\u5165\u4ee5\u786e\u4fdd\u5176\u7b26\u5408\u9884\u671f\u683c\u5f0f\u3002<\/li>\n
      2. \u51c0\u5316\u8f93\u5165\uff1a<\/strong> \u5e94\u6e05\u7406\u6240\u6709\u8f93\u5165\u4ee5\u5220\u9664\u6f5c\u5728\u7684\u6709\u5bb3\u6570\u636e\u3002<\/li>\n
      3. \u5b9e\u65bd Web \u5e94\u7528\u7a0b\u5e8f\u9632\u706b\u5899 (WAF)\uff1a<\/strong> WAF \u53ef\u4ee5\u68c0\u6d4b\u5e76\u963b\u6b62\u8bb8\u591a HPP \u5c1d\u8bd5\u3002<\/li>\n
      4. \u5b9a\u671f\u5b89\u5168\u5ba1\u6838\uff1a<\/strong> \u5b9a\u671f\u5ba1\u67e5\u4ee3\u7801\u5e76\u8fdb\u884c\u6e17\u900f\u6d4b\u8bd5\u53ef\u4ee5\u5e2e\u52a9\u8bc6\u522b\u548c\u89e3\u51b3\u6f5c\u5728\u7684\u6f0f\u6d1e\u3002<\/li>\n<\/ol>\n

        \u4e0e\u7c7b\u4f3c\u6f0f\u6d1e\u7684\u6bd4\u8f83<\/h2>\n

        \u4ee5\u4e0b\u662f\u4e00\u4e9b\u4e0e HPP \u6709\u76f8\u4f3c\u4e4b\u5904\u7684 Web \u6f0f\u6d1e\uff1a<\/p>\n\n\n\n\n\n\n\n
        \u6f0f\u6d1e<\/th>\n\u63cf\u8ff0<\/th>\n\u4e0e HPP \u7684\u76f8\u4f3c\u4e4b\u5904<\/th>\n<\/tr>\n<\/thead>\n
        SQL\u6ce8\u5165<\/td>\n\u653b\u51fb\u8005\u64cd\u7eb5\u8f93\u5165\u6765\u5728\u6570\u636e\u5e93\u4e0a\u6267\u884c\u4efb\u610f SQL \u67e5\u8be2\u3002<\/td>\n\u4e24\u8005\u90fd\u6d89\u53ca\u64cd\u7eb5\u8f93\u5165\u6765\u6539\u53d8\u5e94\u7528\u7a0b\u5e8f\u7684\u884c\u4e3a\u3002<\/td>\n<\/tr>\n
        \u8de8\u7ad9\u811a\u672c<\/td>\n\u653b\u51fb\u8005\u5c06\u6076\u610f\u811a\u672c\u6ce8\u5165\u5176\u4ed6\u7528\u6237\u67e5\u770b\u7684\u7f51\u9875\u4e2d\u3002<\/td>\n\u4e24\u8005\u90fd\u53ef\u4ee5\u64cd\u7eb5\u670d\u52a1\u5668\u7aef\u884c\u4e3a\u5e76\u6cc4\u9732\u7528\u6237\u7684\u4fe1\u606f\u3002<\/td>\n<\/tr>\n
        CSRF<\/td>\n\u653b\u51fb\u8005\u8bf1\u9a97\u53d7\u5bb3\u8005\u5728\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684 Web \u5e94\u7528\u7a0b\u5e8f\u4e0a\u6267\u884c\u4e0d\u5fc5\u8981\u7684\u64cd\u4f5c\u3002<\/td>\n\u4e24\u8005\u90fd\u5229\u7528\u4e86\u7f51\u7ad9\u5bf9\u7528\u6237\u6d4f\u89c8\u5668\u7684\u4fe1\u4efb\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

        HTTP \u53c2\u6570\u6c61\u67d3\u7684\u672a\u6765\u524d\u666f<\/h2>\n

        \u968f\u7740 Web \u5e94\u7528\u7a0b\u5e8f\u7684\u4e0d\u65ad\u53d1\u5c55\uff0c\u5229\u7528\u8fd9\u4e9b\u5e94\u7528\u7a0b\u5e8f\u7684\u6280\u672f\u4e5f\u5c06\u4e0d\u65ad\u6f14\u53d8\u3002\u5c3d\u7ba1 HTTP \u53c2\u6570\u6c61\u67d3\u5df2\u4e3a\u4eba\u6240\u77e5\uff0c\u4f46\u4ecd\u672a\u5f97\u5230\u5e7f\u6cdb\u7406\u89e3\u6216\u68c0\u67e5\uff0c\u8fd9\u610f\u5473\u7740\u5b83\u5728\u672a\u6765\u53ef\u80fd\u4f1a\u6210\u4e3a\u66f4\u7a81\u51fa\u7684\u5a01\u80c1\u3002\u6b64\u5916\uff0c\u968f\u7740\u8d8a\u6765\u8d8a\u591a\u7684\u8bbe\u5907\u901a\u8fc7\u7269\u8054\u7f51\u5b9e\u73b0\u8054\u7f51\uff0cHPP \u7684\u6f5c\u5728\u653b\u51fb\u9762\u4e5f\u5728\u6269\u5927\u3002<\/p>\n

        \u7136\u800c\uff0c\u8fd9\u4e5f\u610f\u5473\u7740\u7528\u4e8e\u9632\u5fa1 HPP \u7684\u5de5\u5177\u548c\u6280\u672f\u53ef\u80fd\u4f1a\u5f97\u5230\u6539\u8fdb\u3002\u4eba\u4eec\u8d8a\u6765\u8d8a\u5173\u6ce8\u5b89\u5168\u7f16\u7801\u5b9e\u8df5\u548c\u68c0\u6d4b\u548c\u9884\u9632\u6b64\u7c7b\u6f0f\u6d1e\u7684\u81ea\u52a8\u5316\u5de5\u5177\u3002\u672a\u6765\uff0c\u6211\u4eec\u53ef\u80fd\u4f1a\u770b\u5230\u66f4\u590d\u6742\u7684 WAF \u548c\u4e13\u95e8\u7528\u4e8e\u9632\u5fa1\u53c2\u6570\u6c61\u67d3\u653b\u51fb\u7684\u7c7b\u4f3c\u6280\u672f\u3002<\/p>\n

        \u4ee3\u7406\u670d\u52a1\u5668\u548c HTTP \u53c2\u6570\u6c61\u67d3<\/h2>\n

        \u4ee3\u7406\u670d\u52a1\u5668\u5145\u5f53\u5ba2\u6237\u7aef\u5411\u5176\u4ed6\u670d\u52a1\u5668\u5bfb\u6c42\u8d44\u6e90\u7684\u8bf7\u6c42\u7684\u4e2d\u4ecb\uff0c\u53ef\u7528\u4e8e\u9632\u8303 HPP \u653b\u51fb\u3002\u5b83\u4eec\u53ef\u4ee5\u68c0\u67e5\u4f20\u5165\u7684 HTTP \u8bf7\u6c42\u4e2d\u662f\u5426\u5b58\u5728 HPP \u8ff9\u8c61\uff08\u4f8b\u5982\u91cd\u590d\u7684\u53c2\u6570\uff09\uff0c\u5e76\u963b\u6b62\u6216\u66f4\u6539\u8fd9\u4e9b\u8bf7\u6c42\u4ee5\u51cf\u8f7b\u5a01\u80c1\u3002<\/p>\n

        \u6b64\u5916\uff0c\u4ee3\u7406\u670d\u52a1\u5668\u53ef\u7528\u4f5c\u4e00\u79cd\u9694\u79bb\u5f62\u5f0f\uff0c\u4fdd\u62a4\u5185\u90e8\u7f51\u7edc\u514d\u53d7\u4e92\u8054\u7f51\u76f4\u63a5\u66b4\u9732\u548c\u6f5c\u5728\u7684 HPP \u653b\u51fb\u3002\u5b83\u4eec\u8fd8\u53ef\u4ee5\u914d\u7f6e\u4e3a\u8bb0\u5f55\u6240\u6709\u4f20\u5165\u7684 HTTP \u8bf7\u6c42\uff0c\u4e3a\u8bc6\u522b\u548c\u5206\u6790\u4f01\u56fe\u7684 HPP \u653b\u51fb\u63d0\u4f9b\u5b9d\u8d35\u7684\u6570\u636e\u3002<\/p>\n

        \u76f8\u5173\u94fe\u63a5<\/h2>\n

        \u6709\u5173 HTTP \u53c2\u6570\u6c61\u67d3\u7684\u66f4\u591a\u4fe1\u606f\uff0c\u8bf7\u8bbf\u95ee\u4ee5\u4e0b\u8d44\u6e90\uff1a<\/p>\n

          \n
        1. OWASP\uff1aHTTP \u53c2\u6570\u6c61\u67d3<\/a><\/li>\n
        2. Acunetix\uff1a\u4ec0\u4e48\u662f HTTP \u53c2\u6570\u6c61\u67d3<\/a><\/li>\n
        3. HTTP \u53c2\u6570\u6c61\u67d3\u6f0f\u6d1e<\/a><\/li>\n
        4. HTTP \u53c2\u6570\u6c61\u67d3 (HPP) \u7684\u4e50\u8da3\u548c\u6536\u76ca<\/a><\/li>\n
        5. \u9632\u5fa1 HTTP \u53c2\u6570\u6c61\u67d3\u653b\u51fb<\/a><\/li>\n<\/ol>","protected":false},"featured_media":477501,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-477500","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about HTTP Parameter Pollution: A Comprehensive Exploration<\/mark>","faq_items":[{"question":"What is HTTP Parameter Pollution?","answer":"

          HTTP Parameter Pollution (HPP) is a web security vulnerability that involves the injection of manipulated parameters into HTTP requests. This could potentially allow attackers to alter the way a web application functions, bypass input validation checks, access sensitive data, and carry out other forms of web-based attacks.<\/p>"},{"question":"When was HTTP Parameter Pollution first identified?","answer":"

          HTTP Parameter Pollution was first identified as a distinct web application vulnerability around the early 2000s. However, it was officially recognized by the web security community following the release of a paper by OWASP (Open Web Application Security Project) in 2010.<\/p>"},{"question":"How does an HTTP Parameter Pollution attack work?","answer":"

          In an HPP attack, the attacker includes the same parameter multiple times within an HTTP request, each time with different values. The application server then combines these values in a way that was not intended by the developers, leading to potential security vulnerabilities.<\/p>"},{"question":"What are the key features of HTTP Parameter Pollution?","answer":"

          The key features of HTTP Parameter Pollution include targeting HTTP requests, manipulation of parameters, dependency on the application behaviour, the potential for a widespread impact, and its stealthy approach.<\/p>"},{"question":"What types of HTTP Parameter Pollution exist?","answer":"

          There are two primary types of HTTP Parameter Pollution based on the HTTP method used: GET-Based HPP, which manipulates the parameters within the URL of an HTTP GET request, and POST-Based HPP, which manipulates the parameters within the body of an HTTP POST request.<\/p>"},{"question":"How can one mitigate the risks posed by HTTP Parameter Pollution attacks?","answer":"

          Most mitigation strategies involve properly handling and sanitizing input, particularly with respect to HTTP parameters. This includes validating and sanitizing input, implementing a Web Application Firewall (WAF), and conducting regular security audits.<\/p>"},{"question":"How do proxy servers guard against HTTP Parameter Pollution attacks?","answer":"

          Proxy servers can inspect incoming HTTP requests for signs of HPP (like repeated parameters) and block or alter these requests to mitigate the threat. They can also isolate internal networks from direct exposure to the internet and potential HPP attacks, and log all incoming HTTP requests for further analysis.<\/p>"},{"question":"What are the future perspectives of HTTP Parameter Pollution?","answer":"

          As web applications continue to evolve, so too will the techniques used to exploit them. However, the focus on secure coding practices and automated tools to detect and prevent such vulnerabilities is also increasing. In the future, we may see more sophisticated WAFs and similar technologies specifically designed to defend against parameter pollution attacks.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki\/477500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/wiki\/477500\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/media\/477501"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/cn\/wp-json\/wp\/v2\/media?parent=477500"}],"curies":[{"name":"\u53ef\u6e7f\u6027\u7c89\u5242","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}