Okay, I definitely haven’t heard this term (HTTP Parameter Pollution) in the past. I came accross this post, and was quite amazed by the potential of this new breed of attack. It makes use of HTTP Query String by overriding the query key-value pairs. As we know that, this type of URL is perfectly valid:

http://domain.com?par1=value1&par1=value2

But the way, these type of query strings where a key has multiple values are interpreted in different way by respective environments. For example:

• ASP.NET / ASP using IIS interprets the above query string as par1=value1,value2
• PHP using Apache interprets the above query string as par1[0]=value1; par1[1]=value2

In order to get detail information about such attack, I strongly recommend you to view the slides:

Unusual behaviors are a usual source of security weaknesses.