HTTP Parameter Pollution

medium Web Application Scanning Plugin ID 113230

Synopsis

Description

An HTTP Parameter Pollution (HTTP) exploits the possibility of including several parameters with the same name in an HTTP request or by including a new encoded parameter. Depending on the web server, its parameters will be parsed in a different way (i.e. parsing only the first/last occurrence of the parameter or concatenating all occurrences into a field or array). This can create unexpected behavior on both the client side and the server side of the application by example, tricking the first server or if the parameters are then passed to a second server which will parse it in a different way.

By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors, or change the values of internal variables. As HTTP Parameter Pollution (abbreviated as HPP) affects a building block of all web technologies, both server-side and client-side attacks exist.

Solution

The mitigation mainly depends on the application purpose and design but it is generally recommended to apply the defense in depth principle and enforce controls.
In the application, it is necessary not to rely on user inputs and to URL encode them before including them in inputs. Strict regular expressions can be used.
A specificity of HTTP Parameter Pollution is that it is necessary to take into account how the backend(s) process(s) multiple occurrences, as filtering at point A may not work at point B which will process the input in another way.