# Week 52 - Parameter Pollution

This week’s [#WebHackingSeries](https://www.linkedin.com/feed/hashtag/?keywords=webhackingseries\&highlightedUpdateUrns=urn%3Ali%3Aactivity%3A7021482272155430913) tip covers HTTP Parameter Pollution!\
 \
Parameter Pollution occurs when you specify a duplicate GET or POST parameter, with the goal of tricking the application into issuing an unauthorized request. Say we have the following URL:\
 \
`victim[.]com/auth/generate_otp?email=user@user[.]com&method=email`\
 \
This URL generates a One-Time-Password for users to log in to their account. We can trick a vulnerable application by using parameter pollution:\
 \
`victim[.]com/auth/generate_otp?email=user@user[.]com&email=jake@hacker[.]com&method=email`\
 \
Note the additional GET parameter ‘email’, which contains jake\@hacker\[.]com. Assuming this application is vulnerable, the back-end would use the first ‘email’ parameter to generate the OTP, and the second ‘email’ parameter to send the OTP. Thus, allowing jake\@hacker\[.]com to take over the account user\@user\[.]com through a parameter pollution attack.\
 \
Hit me with a follow for more Offensive Security Tips!

![](https://3053998085-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxZo6Sim2dDXChJQAtNXN%2Fuploads%2FgE1cUBMQezTrXfpDFrqq%2Fimage.png?alt=media\&token=50f7cef7-68f8-4cb0-bc77-ef6e6477360d)