HTTP Parameter Pollution

Vulnerability Details

Severity:Medium

Category:Web Application

Description

The application does not properly handle duplicate HTTP parameters, allowing attackers to inject additional parameters that override or supplement existing ones to bypass validation.

Risks

An attacker could bypass input validation, WAF rules, or access controls by supplying duplicate parameters that are processed differently by front-end and back-end components.

Remediation

Standardize parameter handling across all application layers. Reject requests with duplicate parameters. Use a consistent parameter parsing strategy. Validate parameters after all processing stages.

References

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution