HTTP Parameter Pollution
Description
The application includes unvalidated user input into a URL, which could lead to HTTP Parameter Pollution (HPP) or Server Side Request Forgery (SSRF). This could allow an adversary to override the value of a URL or a request parameter.
Examples
Insecure Code
java
new HttpGet("https://example.com/getId?" + request.getParameter("key"))Secure Code
java
String userInput = request.getParameter("key"); String value = lookupTable.getOrDefault(userInput, "value1"); final HttpGet httpget = new HttpGet("https://example.com/getId?key="+value)Remediation
Use a map to look up user-supplied information and return exact values to be used in the generation of requests, or encode user-supplied input prior to use and never allow full URLs.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0709 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-88 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | http parameter pollution, server side request forgery |
| OWASP | A1:2017-Injection, A03:2021-Injection |