Parameter Pollution: How to Hunt Silent Access Bugs
1 min read
Summary
A HTTP Parameter Pollution (HPP) is a subtle but dangerous vulnerability that can cause problems with web applications as it occurs when a server or backend handles multiple parameters with the same name.
Depending on how it is handled, repeated parameters can lead to privilege escalation, logic bypasses, and critical data leaks.
While it is undefined in RFCs, different languages and frameworks often implement their own unique behaviours for handling repeated parameters.
These can include taking the first value, the last value, concatenating them, or mishandling them completely.
It is important for developers to be aware of these vulnerabilities and to ensure that they validate and sanitize user inputs to prevent HPP.
To avoid such vulnerabilities, developers should use parameterized queries, make use of HTTP-specific headers for requests, favour POST methods over GET requests, and limit input to expected content and formats in order to tighten up access control.