back
loading skill details...
>-
SKILL: HTTP Parameter Pollution (HPP) AI LOAD INSTRUCTION: Model the full request path: browser → CDN/WAF → reverse proxy → app framework → business code. Duplicate keys (a=1&a=2) are not an error at HTTP level; each hop may pick first, last, join, or array-ify. Test HPP when WAF and app disagree, or when internal HTTP clients rebuild query strings. Routing note: when the same parameter appears multiple times, or WAF/backend stacks differ, use the Section 1 matrix to test first/last/merge assumptions, then design Section 3 scenario chains. 0. QUICK START Hypothesis: the security check reads one occurrence of a parameter while the action reads another. First-pass payloads id=1&id=2 id=1&id=1%20OR%201=1 url=https://legit.example&id=https://evil.example amount=1&amount=9999 csrf=TOKEN_A&csrf=TOKEN_B user=alice&user=admin
don't have the plugin yet? install it then click "run inline in claude" again.