Introduction
Sometimes, the smallest tests lead to the biggest rewards. That's exactly what happened when I stumbled upon an HTTP Parameter Pollution (HPP) vulnerability on Example.com, earning a $1,000 bounty for a few minutes of curiosity.
In this article, I'll walk you through the exact steps I took — from the idea, testing, discovery, to reporting — so you can learn how to spot similar vulnerabilities in your bug bounty journey.
What is Parameter Pollution?
Before diving into the story, let's understand what HTTP Parameter Pollution means in simple terms.
Definition:
Parameter pollution happens when a web server or application receives multiple parameters with the same name in a single request. Because different frameworks handle these duplicates differently, attackers can exploit this inconsistency to:
- Leak data
- Bypass validation
- Break logic
- Achieve unintended server behavior
Example polluted URL:
https://example.com/product?id=123&id=9999Here, id appears twice — what does the server do with it? That's where the magic (or vulnerability) can happen.
The Recon That Sparked The Idea
During my bug bounty recon on Example.com, I noticed their product page URL pattern:
https://example.com/product?id=123This seemed normal. But I asked myself:
- What if I provide the id parameter twice?
- Will the server pick the first, last, or merge both?
It's such a simple test — but often overlooked.
Crafting the Exploit
I tried this URL:
https://example.com/product?id=123&id=9999And watched carefully.
The response shocked me!
- The server included data for both product IDs.
- It displayed not just the product I was supposed to see (123), but also hidden details of 9999.
What data leaked?
- Internal product IDs
- Hidden discount pricing
- Stock quantities not meant for public view
- Internal tags
Curl PoC
curl "https://example.com/product?id=123&id=9999"- Response: JSON combining both product data
Why Did This Happen?
Different programming frameworks handle duplicate parameters differently:
| Framework | Behavior on duplicate param |
| ------------- | ----------------------------- |
| PHP | Takes the last value |
| Node.js | Keeps both values in an array |
| Java Spring | Takes the first value |
| Express.js | Keeps both in array |
| Ruby on Rails | Last value wins |- In Example.com's case, their backend combined both into one output — leading to unintended data exposure.
The Impact
This wasn't just a theoretical issue:
- I could enumerate internal products by changing the second ID
- I could see prices before discounts were applied
- I could scrape stock levels
- I could potentially influence API calls by polluting parameters
How Example.com Fixed It
Example.com's security team acted swiftly:
- They enforced server-side validation to only accept one instance of each parameter
- They added WAF rules to detect and block polluted requests
- They updated their API responses to ensure data isolation
How YOU Can Find Parameter Pollution Bugs
Here's a practical guide for bug hunters:
- Look for parameterized URLs
Search for:
?id= &user= &product= &price= &redirect=2. Try duplicate parameter injection
Examples:
?id=123&id=9999
?id=123;id=9999
?id=123,id=9999
?id=123%26id=99993. Observe responses
Compare:
- Status codes
- Response length
- Content differences
Use Burp Comparer, diff tools, or scripts.
4. Tools to help
- Burp Intruder / Repeater — fast testing
- Python requests / curl — scripting
- Custom wordlists — auto-inject duplicate param combos
- Nuclei templates (you can write one for param pollution patterns)
Example Payload Variations
curl "https://example.com/api/user?user=alice&user=bob"
curl "https://example.com/login?redirect=/home&redirect=/admin"
curl "https://example.com/item?id=1;id=9999"- Test GET and POST both.
Conclusion
Parameter pollution is a simple yet powerful bug class that can expose sensitive data or break logic in web apps. Next time you're testing, don't overlook trying duplicate parameters — sometimes, what seems small can lead to your next big bounty.
Happy hunting! ✨