# Parameter Pollution

## Overview

This page contains recommendations for the implementation of protection against parameter pollution attacks.

HTTP Parameter Pollution (HPP) is an attack evasion technique that allows an attacker to craft an HTTP request to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name.

In the request below, `search_string` appears twice. Some applications use the first parameter, others the last one, and others will join both parameters as an array or as a string with a comma `,` or a dash `-`. Therefore, it could have unexpected behaviour and it must be treated appropriately depending on the business logic.

```
GET /search?mode=guest&search_string=kittens&num_results=100&search_string=puppies HTTP/1.1
Host: market.website.local
Cookie: session_id=cf565bc0aaf6560a56c9e6d8632baa58
```

For example, the following request sends the `uid` twice. Depending on how this is handled, this parameter pollution attack could end up bypassing an access control in the application.

```
GET /profile?uid=35&mode=guest&uid=1 HTTP/1.1
Host: market.website.local
Cookie: session_id=cf565bc0aaf6560a56c9e6d8632baa58
```

## General

<div align="left"><img src="/files/QJuMWI21M60ZKzo0mFAN" alt=""></div>

* Perform comprehensive input validation for each request, see the [Input Validation](/application-security-handbook/web-application/input-validation.md) page.
* Comply with requirements from the [Authorization](/application-security-handbook/web-application/authorization.md) page to avoid blind trust between components, which allows abusing differences in the parameter parsing by different components.
* Verify that an application behaves as expected when a single request (`GET`, `POST`, `PUT`, `DELETE`) contains the same parameters multiple times.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/parameter-pollution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.