HTTP Parameter Pollution (HPP) is an instance of the broader Parser Differential vulnerability class. This occurs when different implementations of the same input language (e.g., HTTP protocol, ZIP format, X.509 parsing) interpret the same input differently. An adversary can exploit these discrepancies to bypass validation or inject malicious behaviour.

In the case of HPP, attackers supply duplicate HTTP parameters (e.g., ?id=1&id=2) that are interpreted differently by various components (web application, proxy, WAF, framework). Depending on which value is used or concatenated, an attacker may override security checks, manipulate application logic, or trigger injection vulnerabilities.

Other notable parser differential examples include:

• HTTP Request Smuggling / Desync
• Android Master Key (ZIP file parsing inconsistency)
• X.509 Subject Name Confusion

Remediation

• Ensure that only one component in the processing chain interprets untrusted input, and that normalised, validated data is passed downstream.
• Do not forward raw untrusted input across multiple components that may use different parsers or frameworks.
• Apply strict validation and canonicalisation at input boundaries (e.g., reject duplicate parameters, enforce schema).
• Configure frameworks or libraries to use deterministic parsing modes where available (e.g., “first parameter wins” or “reject duplicates”).

For more information, refer to Code Signature Bypass mini course on SecDim Learn.