Testing for HTTP Parameter pollution (OTG-INPVAL-004)

Brief Summary
Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors, or modify internal variables values.

Description of the Issue
Current HTTP standards do not include guidance on how to interpret multiple input parameters with the same name. Without a standard in place, web applications handle this edge case in a variety of ways (see the table below for details). It is not necessarily an indication of vulnerability when an application server responds to multiple similar parameters; this is expected behavior for handling an unusual input. The vulnerability depends if an one can abuse the concatenation or substitution of variable values to cause errors or bypass validation. (source: [[Media:AppsecEU09_CarettoniDiPaola_v0.8.pdf]]

Black Box testing and example
Testing for Topic X vulnerabilities: ... Result Expected: ...