HTTP Parameter Pollution is a web application vulnerability which occurs when hackers hide scripts and processes in URLs. This technique can also allow hackers to pollute the parameters in the URL and the request body if user input is not sanitized correctly by a web application. This could lead to behavior changes in the app, such as cross-site scripting, privilege changes or granting unwanted access.
An attacker can use an HPP attack to perform many different unwanted actions. They can override the existing hardcoded HTTP parameters, modify the application behavior and access and exploit the user-uncontrollable variables. HPP attacks also enable people to bypass input validation checks and web application firewall (WAF) rules. It opens up routes to attacks, including cross-site scripting (XSS), structured query language (SQL) injection. HPP attacks can be performed by polluting HTTP GET/POST requests by injecting multiple parameters with the same name holding different values and kept apart by delimiters.