HTTP Parameter Pollution abbreviated as HPP, so some people also call it "hpp parameter Pollution ".
A very good article about HPP parameter pollution: http://www.paigu.com/a/33478/23535461.html
As stated in the article, HPP is not a vulnerability, but the web site has SQL or XSS, and in the case of a WAF can help hackers to bypass the WAF.
So what is the HPP parameter pollution?
The original normal search URL is: https://www.baidu.com/s?ie=UTF-8&wd= Cherish the youth when the blog
I'll add one more WD parameter: https://www.baidu.com/s?ie=UTF-8&wd= Cherish Youth Blog &wd= I want to be a network Daniel
360 search will be understood as 123
Yahoo will understand it as:
Google will understand that:
110 911
This url:http://www.xxxx.com/search.php?id=110&id=911
Baidu will understand to let Baidu search: #选择了第一个参数, give up the second parameter.
Yahoo will understand to let Yahoo search: 911 #选择了第二个参数, give up the first parameter.
Google will understand to let Google search: 911 #两个参数同时选择.
The current HTTP standard does not mention what to do if multiple input values are encountered to assign values to the same parameter. Therefore, Web program components do not have exactly the same approach when encountering such problems.
HTTP parameter pollution