# Week 52 - Parameter Pollution

This week’s [#WebHackingSeries](https://www.linkedin.com/feed/hashtag/?keywords=webhackingseries\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7021482272155430913) tip covers HTTP Parameter Pollution!\
&#x20;\
Parameter Pollution occurs when you specify a duplicate GET or POST parameter, with the goal of tricking the application into issuing an unauthorized request. Say we have the following URL:\
&#x20;\
`victim[.]com/auth/generate_otp?email=user@user[.]com&method=email`\
&#x20;\
This URL generates a One-Time-Password for users to log in to their account. We can trick a vulnerable application by using parameter pollution:\
&#x20;\
`victim[.]com/auth/generate_otp?email=user@user[.]com&email=jake@hacker[.]com&method=email`\
&#x20;\
Note the additional GET parameter ‘email’, which contains jake\@hacker\[.]com. Assuming this application is vulnerable, the back-end would use the first ‘email’ parameter to generate the OTP, and the second ‘email’ parameter to send the OTP. Thus, allowing jake\@hacker\[.]com to take over the account user\@user\[.]com through a parameter pollution attack.\
&#x20;\
Hit me with a follow for more Offensive Security Tips!

![](/files/3HHiVNTwoky9aT3hg3Tr)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/week-52-parameter-pollution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.