HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
- Override existing hardcoded HTTP parameters.
- Modify the application behaviors.
- Access and, potentially exploit, uncontrollable variables.
- Bypass input validation checkpoints and WAFs rules.
You can download the slides of the talk here (pdf) or browse it on Slideshare.
Also, we'll soon release a whitepaper in order to clarify all details about HPP.
As last news, in a few days the video of "Yahoo! Classic Mail" exploitation of Client Side HPP will be available on this blog.