HTTP parameter pollution
Description
HTTP Parameter Pollution (HPP) occurs when an application fails to properly handle multiple instances of the same HTTP parameter name. Attackers can inject additional query string parameters using encoded delimiters (such as & or %26) within existing parameter values. When the application processes these polluted parameters without adequate validation, it may lead to unexpected behavior as different server-side technologies handle duplicate parameters differently (first occurrence, last occurrence, or concatenation).
Remediation
Implement comprehensive input validation and parameter handling to prevent HTTP Parameter Pollution:
1. Standardize Parameter Handling:
Define and enforce consistent behavior for duplicate parameters across your application. Decide whether to accept only the first occurrence, last occurrence, or reject requests with duplicate parameters entirely.
2. Validate and Sanitize Input:
Implement strict input validation that detects and handles encoded delimiters:
// Example: Java servlet parameter validation
String[] paramValues = request.getParameterValues("paramName");
if (paramValues != null && paramValues.length > 1) {
// Log suspicious activity and reject request
throw new SecurityException("Duplicate parameters detected");
}
String safeValue = paramValues[0];
// Validate against whitelist pattern
if (!safeValue.matches("^[a-zA-Z0-9]+$")) {
throw new ValidationException("Invalid parameter format");
}3. Use Framework-Level Protection:
Configure your web framework to handle duplicate parameters securely. For example, explicitly retrieve parameter arrays and validate their length before processing.
4. Implement Allowlisting:
Define expected parameters and their formats using allowlists rather than denylists. Reject requests containing unexpected parameter names or structures.
5. Encode Output:
When reflecting parameter values in responses, apply proper output encoding to prevent secondary injection attacks that may leverage HPP vulnerabilities.