ashish singh
Reputation: 23
HTTP parameter pollution URL encoding bypass
as in this section here they gave the mitigation by encoding the input as url encoding, is there any way to bypass such mitigation ??
Upvotes: 1
Views: 439
Answers (1)
Karan Shishoo
Reputation: 2801
If correct URL encoding is applied and only the needed fields are considered and validated there is no method of bypassing such a mitigation using HTTP parameter pollution.
[The HPP vulnerability is based on the fact that proper URL parameter validation and verification is not implemented and that the backend accepts and uses any input if applicable, instead of filtering and accepting only specific inputs needed from a request and ignoring the rest]
Upvotes: 1
Related Questions
- HTTP URL - allowed characters in parameter names
- Encode URL parameter values for sensitive content?
- Encode GET parameters on URL
- URL Parameter encoding in MVC .NET
- Java URL encoding with url encode parameters
- Use encoded object query param for GET request
- Encoding Parameter passed as URL- Alternate options?
- Is there a spec for nested urlencoded params[]?
- Encoding a URI parameters
- Encode URL parameters using Java