HTTP Parameter Pollution
Description
Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach. HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user may compromise the logic of the application to perform either client-side or server-side attacks.
Examples
Insecure Code
scala
val url = "https://example.com?param=" + request.getParameter("userInput")Secure Code
scala
val url = "https://example.com?param=" + java.net.URLEncoder.encode(request.getParameter("userInput"), "UTF-8")Remediation
Validate and sanitize user input before concatenating it into a URL. Use a whitelist approach to only allow expected parameters and values.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0047 |
| Category | Web |
| Severity | HIGH |
| CWE | CWE-88 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | injection, parameter pollution |
| OWASP | N/A |