Search code examples
securitycsrfcsrf-protection

Difference between CSRF and HPP (HTTP Parameter Pollution)?

I went through this link to understand about HPP (HTTP Parameter Pollution) attacks.

In HPP attacks it seems like, attacker modifies the HTTP parameters and sends the modified URL to the victim. Isn't this same as CSRF attacks? If not can somebody tell me what is the difference between CSRF & HPP?

Solution

  • HTTP Parameter Pollution is when your application makes a back-end HTTP request to another system and these parameters can be manipulated by input into your main application. HPP is defined by the fact the attacker causes a duplicate parameter name to be passed to the back-end request, which overrides the parameter value being explicitly passed by the application. A similar vulnerability, HTTP Parameter Injection is defined by the attacker adding a new parameter to the back-end request which is interpreted by the other system. So HPI causes a new parameter to be added, whereas HPP causes an existing parameter to be ignored or interpreted in a new way.

    See my answer here for a solid example of HPP.

    CSRF doesn't require any back-end HTTP request. This is a front-end request, but made by the victim without their knowledge. It basically means that a malicious request is made using the victim's browser and the victim's authorisation cookies. It could be as simple as a hidden image on the attacker's page:

    <img src="https://bank.example.com/transfer_money?toAmount=999&toAccount=12345678" />

    This will be triggered whenever the victim visits the attacker's page (e.g. following a link emailed to them, or something posted on a forum).

    See my answer here for another example using the POST method.

    Sometimes a HPP vulnerability can be exploited via CSRF. For example, one that requires the victim to be the one logged into the system that is exploitable via HPP. e.g. the POST to https://www.example.com/transferMoney.php could be made by the attacker's site, passing the toAccount=9876 POST parameter causing the victim to transfer money to an unauthorised account using their autorisation cookie for www.example.com.

    Regarding the article in your question, I don't think that is a realistic HPP attack because any actions that cause a state change should be implemented via the POST method and not a GET link as the article demonstrates, so you wouldn't actually get an action link being constructed from the current page (but hey, anything is possible). This is why HPP is really more around back-end requests in practice.