Server-Side Parameter Pollution (SSPP)

What is Server-Side Parameter Pollution

When a web app forwards user input to an internal API, back-end service, or query string without proper encoding, an attacker can inject parameter delimiters (&, #, =) to:

Override existing back-end parameters
Inject new parameters
Truncate parameter values
Influence application logic the user is not meant to control

This is distinct from HTTP Parameter Pollution (HPP) which targets the front-end — SSPP targets parameters in back-end server-to-server requests.

Detection

Step 1 — Identify user input reflected in back-end requests

Look for parameters that appear to trigger server-side actions: password reset, profile lookups, API proxying, search with server-side requests.

Step 2 — Inject URL-encoded delimiters

In Burp Repeater, inject %26 (URL-encoded &) into the parameter value:

POST /forgot-password
email=user%40example.com%26admin=true

If the back-end receives email=user@example.com&admin=true → the injected admin=true is added as a separate parameter.

Observe the response — does it behave differently? Does an error message change?

Step 3 — Truncate with `#`

Inject %23 (URL-encoded #) to truncate any parameters the app appends after the user value:

username=victim%23

If the app builds: GET /api/user?name=victim%23&other=value, the # fragments the URL — the back-end sees only name=victim, and other=value is discarded.

Step 4 — Override a back-end parameter

If you know the app appends role=user after user input:

username=alice%26role=admin

The back-end receives: name=alice&role=admin (overrides or duplicates the intended role=user).

Exploit 1: Password Reset Token Manipulation

App sends: POST /api/reset?email=USER_INPUT&token=SERVER_GENERATED

Inject:

email=victim@example.com%26token=attacker_known_value

Back-end receives: email=victim@example.com&token=attacker_known_value&token=SERVER_GENERATED

If the back-end uses the first token → attacker controls the reset token → account takeover.

Practical flow

Start a legitimate password reset for your own account.
Intercept the reset request and note the parameter structure.
Replace your email with victim@example.com%26token=known_value.
Check if the victim receives a reset link with your known token.

Exploit 2: Add an Admin Parameter

POST /register
username=alice%26is_admin=true&password=pass123

Back-end receives: username=alice&is_admin=true&password=pass123

If the back-end processes is_admin → register as admin.

Exploit 3: Truncate a Security Check

App builds: GET /api/lookup?id=USER_ID&verify=true

Inject:

id=5%23

Back-end receives: id=5#&verify=true — the # fragments URL; verify=true is ignored. Security check bypassed.

Exploit 4: Inject into Path

If user input is embedded in a path segment:

GET /api/user/alice/profile
# Inject:
GET /api/user/alice%2F..%2Fadmin/profile

URL-encoded path traversal combined with SSPP to reach /api/admin/profile.

Discovery with Param Miner

Param Miner (Burp extension) can automatically discover injected parameters:

Install Param Miner from BApp Store.
Right-click on a request → Extensions → Param Miner → Guess params (all).
Check Guess query params and enable Add FCBs (fat GET / POST body).
Param Miner tries thousands of parameter names and reports those that cause a different response.
Revisit confirmed parameters with manual SSPP injection.

If there’s no visible error or behavioural change, use:

Timing — inject %26delay=10 if you know the back-end API supports it.

Burp Collaborator — inject a Collaborator URL:

email=x%26callback=http://COLLABORATOR_DOMAIN%26

If the back-end makes an HTTP request to the injected callback → confirmed SSPP.

Burp Suite workflow

Proxy — intercept all requests with user input that triggers server-side actions.
Repeater — inject %26param=value, %23, %3D into each parameter.
Param Miner — auto-discover hidden back-end parameters.
Collaborator — set up OOB callbacks for blind detection.
Logger++ — flag responses that differ from baseline after injection.