Hands-On LabBeginner

HTTP Parameter Pollution (HPP) - Manipulating Another User's Basket in OWASP Juice Shop

Learn how HTTP Parameter Pollution (HPP) exploits Broken Access Control to manipulate another user's shopping basket in OWASP Juice Shop.

Browse all labs
30 minEstimated time
3Guided steps
AutoVerification
IsolatedSandbox
HTTP Parameter Pollution (HPP) - Manipulating Another User's Basket in OWASP Juice Shop

Lab overview

HTTP Parameter Pollution (HPP) is a unique attack technique that leverages inconsistencies in how web servers and applications handle multiple parameters with the same name. This can lead to unintended behaviors, such as bypassing input validation or manipulating data in unexpected ways.

In this lab, you will explore HTTP Parameter Pollution (HPP) by exploiting a vulnerability in the OWASP Juice Shop application. You will learn how to inject multiple basket identifiers into a single API request to manipulate another user’s shopping basket. By understanding this attack, you'll gain insight into how improperly handled input parameters can break application logic and compromise security.

Objectives:

Upon completing this lab, you will:

  • Understand HTTP Parameter Pollution (HPP) and its implications.
  • Learn to craft API requests to exploit HPP vulnerabilities.
  • Manipulate data in another user’s basket using HPP.

Who is this lab for?

This lab is designed for:

  • Developers seeking to understand and prevent HPP vulnerabilities in their applications.
  • Security professionals looking to explore advanced access control bypass techniques.
  • IT learners aiming to strengthen their knowledge of web application security concepts.

Verified against your live environment

An automated validation engine inspects your actual resources and configurations as you work. Completion means the task was performed — not multiple choice, real-world proficiency.

[CHECK] validation_activelive
Inspecting deployed resources...
Verifying configuration state...
✓ Step requirements satisfied

More labs like this

30 minutes

Union-Based SQL Injection: Logging in with a Temporary User in OWASP Juice Shop

Learn about Union-Based SQL Injection by solving the Ephemeral Accountant challenge in OWASP Juice Shop.

30 minutes

Persisted XSS via HTTP Header in OWASP Juice Shop

Learn persisted XSS via HTTP Header by finding and exploiting a vulnerability in OWASP Juice Shop.

45 minutes

CSP Bypass: Exploiting Content Security Policy Vulnerabilities in OWASP Juice Shop

Learn how to bypass Content Security Policies (CSP) to execute XSS attacks by exploiting weaknesses in the OWASP Juice Shop profile page.

Related reading

How to Configure Private Network Access for Your Azure Web ApplicationsConfigure private endpoints and VNet integration for Azure Web Apps to secure your applications from public internet access and comply with enterprise security requirements.Mastering OWASP Top 10: A Hands-on Journey Through Real-World VulnerabilitiesDefend your applications with practical knowledge of OWASP Top 10 vulnerabilities through expert explanations and hands-on labs to build real security skills.
PremiumIncluded in Premium
Duration
30 min
Steps
3

Environment

Web App Workspace

Every lab includes

  • Real environment, pre-credentialed
  • Automated checks on every step
  • Isolated sandbox, auto cleanup
  • AI-recommended next steps

Lab curriculum

  1. 01

    Understanding HTTP Parameter Poluttion

  2. 02

    Adding Product into Another User's Basket

    1 automated check

  3. 03

    Mitigation and Takeaways

Skills validated

Broken Access ControlHTTP Parameter Pollution

Not the lab you were looking for?

Browse 150+ hands-on labs across AWS, Azure, Kubernetes, Docker, and cloud security.

Explore the catalog