Parameter Pollution

Overview

This page contains recommendations for the implementation of protection against parameter pollution attacks.

HTTP Parameter Pollution (HPP) is an attack evasion technique that allows an attacker to craft an HTTP request to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name.

In the request below, search_string appears twice. Some applications use the first parameter, others the last one, and others will join both parameters as an array or as a string with a comma , or a dash -. Therefore, it could have unexpected behaviour and it must be treated appropriately depending on the business logic.

GET /search?mode=guest&search_string=kittens&num_results=100&search_string=puppies HTTP/1.1
Host: market.website.local
Cookie: session_id=cf565bc0aaf6560a56c9e6d8632baa58

For example, the following request sends the uid twice. Depending on how this is handled, this parameter pollution attack could end up bypassing an access control in the application.

GET /profile?uid=35&mode=guest&uid=1 HTTP/1.1
Host: market.website.local
Cookie: session_id=cf565bc0aaf6560a56c9e6d8632baa58

General

• Perform comprehensive input validation for each request, see the Input Validation page.

• Comply with requirements from the Authorization page to avoid blind trust between components, which allows abusing differences in the parameter parsing by different components.

• Verify that an application behaves as expected when a single request (GET, POST, PUT, DELETE) contains the same parameters multiple times.