HTTP Parameter Pollution (HPP)
Imagine that on sending a request to a backend, it makes another request somewhere with a bunch of fixed parameters. Maybe, you can override those parameters by providing values in the request you are sending, therefore altering the subsequent request, tricking it into doing something it was not intended to do.
Typically, this vulnerability is symptomatic and indicative of a broader systemic issue. The potential of this kind of exploitation depends entirely on how the technology on the backend behaves: PHP/Apache uses the last occurrence of a parameter, Tomcat the first occurrence, ASP/IIS (Internet Information Services) all of them, etc.
Examples:
- Social sharing buttons,: Unsubscribing from Twitter notifications by adding another
UID
parameter. - Twitter web intents, clicking on a button, seeing the correct person's profile but actually subscribing to whatever was presented in an "overloaded" parameter.