I went through this link to understand about HPP (HTTP Parameter Pollution) attacks.
In HPP attacks it seems like, attacker modifies the HTTP parameters and sends the modified URL to the victim. Isn't this same as CSRF attacks? If not can somebody tell me what is the difference between CSRF & HPP?
From what the linked article describes, it seems that HPP is a specific type of injection attack, where you modify the request parameters in order to modify the contents of the returned page. In a sense, its a more generalized version of a reflected XSS attack; whereas with XSS you are attempting to inject and execute malicious javascript through tampering with a request, in HPP you are trying to modify any data (in the example given, data used to generate URLs) to inject malicious data.
The term CSRF, however, is usually used to describe an attack where an entirely valid request is sent to a server in a context that leads to unexpected or unwanted behavior. The somewhat standard example would be tricking a user into clicking a link on your site, which sends a request to the user's banking site (as the user) to transfer money from their account to yours.
There is nothing preventing an attacker from using a HPP or XSS attack with a CSRF attack. An XSS or HPP attack takes advantage of a lack of validation in the processing of user input that is later returned as part of a response, while a CSRF attack takes advantage of "sequence breaking" in application flow to cause unintended behavior.
HTTP Parameter Pollution is when your application makes a back-end HTTP request to another system and these parameters can be manipulated by input into your main application. HPP is defined by the fact the attacker causes a duplicate parameter name to be passed to the back-end request, which overrides the parameter value being explicitly passed by the application. A similar vulnerability, HTTP Parameter Injection is defined by the attacker adding a new parameter to the back-end request which is interpreted by the other system. So HPI causes a new parameter to be added, whereas HPP causes an existing parameter to be ignored or interpreted in a new way.
See my answer here for a solid example of HPP.
CSRF doesn't require any back-end HTTP request. This is a front-end request, but made by the victim without their knowledge. It basically means that a malicious request is made using the victim's browser and the victim's authorisation cookies. It could be as simple as a hidden image on the attacker's page:
<img src="https://bank.example.com/transfer_money?toAmount=999&toAccount=12345678" />
This will be triggered whenever the victim visits the attacker's page (e.g. following a link emailed to them, or something posted on a forum).
See my answer here for another example using the POST method.
Sometimes a HPP vulnerability can be exploited via CSRF. For example, one that requires the victim to be the one logged into the system that is exploitable via HPP. e.g. the POST to https://www.example.com/transferMoney.php could be made by the attacker's site, passing the toAccount=9876 POST parameter causing the victim to transfer money to an unauthorised account using their autorisation cookie for www.example.com.
Regarding the article in your question, I don't think that is a realistic HPP attack because any actions that cause a state change should be implemented via the POST method and not a GET link as the article demonstrates, so you wouldn't actually get an action link being constructed from the current page (but hey, anything is possible). This is why HPP is really more around back-end requests in practice.
