HTTP Parameter Pollution

HTTP Parameter Pollution


2 min read

HTTP parameter pollution works based on the fact of different implementation on parsing url query string parameters. We use url query string parameters a lot but actually there is no standard defining how to handling the cases of repetive parameters.

For example, we can pass parameters a and b to backend by this url http://localhost:8080/?a=1&b=2. But what if we change the query string as below?


Because there is no standard how to handle this, then different server framework may handle this differently. They may choose the first one, or the last one, or any other ways.

For example, in Flask, the first one is chosen.

from flask import Flask
from flask import request

app = Flask(__name__)

def index():
    print(request.args.get("a")) # 1
    return "hello", debug=True)

In express.js, we get both as an array.

const express = require("express");

const app = express();

app.get("/", (req, res) => {
    console.log(req.query['a']); // ["1", "2"]

app.listen(8080, () => {
    console.log("listen 8080");

Because of this fact, the attackers could change the query string parameter to according to their own needs.

Or in some other cases, these parameter could be changed in a way that can be used to pass the firewall and do the attack on real service server.

So be aware of this when developing applications and do validations carefully.