# Parameter Pollution

* [Technical takeaways from H1-415: Using invalid URL encoding sequences (ie %$1) can cause HTTP parameter pollution, do virtual host scanning with ports, find the origin server for things behind CDNs, and brute force GraphQL endpoints if introspection is off.](https://twitter.com/Rhynorater/status/1104133664928018432)
* [Got my 1st HTTP Parameter Pollution (HPP) bug rewarded! Targeting an OAuth login: by providing url parameter "scope" twice, the page asked confirmation for the first, but ended up authorizing all others too:](https://twitter.com/honoki/status/1291307034919542789?s=20)

  [/oauth?redirect=x\&response\_type=code\&client\_id=x\&scope=name\&scope=email](https://twitter.com/honoki/status/1291307034919542789?s=20)