SKILL: HTTP Parameter Pollution (HPP)

AI LOAD INSTRUCTION: Model the full request path: browser → CDN/WAF → reverse proxy → app framework → business code. Duplicate keys (a=1&a=2) are not an error at HTTP level; each hop may pick first, last, join, or array-ify. Test HPP when WAF and app disagree, or when internal HTTP clients rebuild query strings. Routing note: when the same parameter appears multiple times, or WAF/backend stacks differ, use the Section 1 matrix to test first/last/merge assumptions, then design Section 3 scenario chains.

0. QUICK START

Hypothesis: the security check reads one occurrence of a parameter while the action reads another.

First-pass payloads

id=1&id=2
id=1&id=1%20OR%201=1
url=https://legit.example&id=https://evil.example
amount=1&amount=9999
csrf=TOKEN_A&csrf=TOKEN_B
user=alice&user=admin

Related skills

More from yaklang/hack-skills

Installs

492

Repository

yaklang/hack-skills

GitHub Stars

620

First Seen

Apr 9, 2026

Security Audits

Gen Agent Trust HubPass

SocketPass

SnykFail

http-parameter-pollution

SKILL: HTTP Parameter Pollution (HPP)

0. QUICK START

First-pass payloads

More from yaklang/hack-skills

hack

xss-cross-site-scripting

sqli-sql-injection

api-sec

ssrf-server-side-request-forgery

api-auth-and-jwt-abuse