Parameter Pollution
Description
Parameter Pollution occurs when an application processes multiple parameters with the same name, potentially leading to unexpected behavior or security vulnerabilities.
Example with Scenario
Scenario: A web application processes query parameters for user authentication. An attacker can craft a URL with duplicate parameters to bypass authentication or manipulate application behavior.
Payloads and Test Cases
Payloads
Bypassing Authentication:
/login?user=admin&user=attackerManipulating Values:
/order?item=book&item=laptopChanging Logic:
/action?role=admin&role=user
Test Cases
Bypassing Authentication:
Payload:
/login?user=admin&user=attackerTest Case:
# Send payload to the server sendPayloadToServer("/login?user=admin&user=attacker") # Verify if the application logs in as admin checkAuthentication("admin")
Manipulating Values:
Payload:
/order?item=book&item=laptopTest Case:
# Send payload to the server sendPayloadToServer("/order?item=book&item=laptop") # Verify if the application processes both items checkOrderItems(["book", "laptop"])
Changing Logic:
Payload:
/action?role=admin&role=userTest Case:
# Send payload to the server sendPayloadToServer("/action?role=admin&role=user") # Verify if the application processes the first or last role checkRoleProcessing(["admin", "user"])
Mitigation
Parameter Validation:
Validate parameters to ensure they are unique and meet expected criteria.
Reject requests with duplicate parameters.
Use a Single Parameter Source:
Use a single source of parameters (e.g., query string, POST body) to avoid confusion.
Avoid mixing parameters from different sources.
Sanitize Input:
Sanitize and normalize parameter input to prevent unexpected behavior.
Implement strict parameter parsing and validation.
Framework Protections:
Use frameworks and libraries that automatically handle parameter pollution.
Enable built-in protections against parameter pollution vulnerabilities.
Last updated