When the WAF sees one value but your app framework picks a different one from the same parameter name, you've got an HTTP Parameter Pollution vector. This skill walks Claude through the parser behavior matrix (PHP takes last, Flask takes first, IIS joins with commas) and chains that into WAF bypasses, SSRF splits, and business logic abuse. The decision tree and attack templates are concrete enough to drive actual testing. Honest take: HPP is niche but devastating when stacks disagree, and having the server behavior reference beats guessing which occurrence wins. Just keep it scoped since duplicate amount or price parameters can trigger real transactions.
npx skills add https://github.com/yaklang/hack-skills --skill http-parameter-pollution