👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  1. Web Application
  2. Vulnerability Mitigation

Parameter Pollution

PreviousMass Parameter AssignmentNextPath Traversal

Last updated 1 year ago

Overview

This page contains recommendations for the implementation of protection against parameter pollution attacks.

HTTP Parameter Pollution (HPP) is an attack evasion technique that allows an attacker to craft an HTTP request to manipulate or retrieve hidden information. This evasion technique is based on splitting an attack vector between multiple instances of a parameter with the same name.

In the request below, search_string appears twice. Some applications use the first parameter, others the last one, and others will join both parameters as an array or as a string with a comma , or a dash -. Therefore, it could have unexpected behaviour and it must be treated appropriately depending on the business logic.

GET /search?mode=guest&search_string=kittens&num_results=100&search_string=puppies HTTP/1.1
Host: market.website.local
Cookie: session_id=cf565bc0aaf6560a56c9e6d8632baa58

For example, the following request sends the uid twice. Depending on how this is handled, this parameter pollution attack could end up bypassing an access control in the application.

GET /profile?uid=35&mode=guest&uid=1 HTTP/1.1
Host: market.website.local
Cookie: session_id=cf565bc0aaf6560a56c9e6d8632baa58

General

  • Verify that an application behaves as expected when a single request (GET, POST, PUT, DELETE) contains the same parameters multiple times.

Perform comprehensive input validation for each request, see the page.

Comply with requirements from the page to avoid blind trust between components, which allows abusing differences in the parameter parsing by different components.

Input Validation
Authorization