Parameter Pollution

Description

Parameter Pollution occurs when an application processes multiple parameters with the same name, potentially leading to unexpected behavior or security vulnerabilities.

Example with Scenario

Scenario: A web application processes query parameters for user authentication. An attacker can craft a URL with duplicate parameters to bypass authentication or manipulate application behavior.

Payloads and Test Cases

Payloads

1. Bypassing Authentication:

   Copy

   /login?user=admin&user=attacker

2. Manipulating Values:

   Copy

   /order?item=book&item=laptop

3. Changing Logic:

   Copy

   /action?role=admin&role=user

Test Cases

1. Bypassing Authentication:

   • Payload:

     Copy

     /login?user=admin&user=attacker

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("/login?user=admin&user=attacker")
     # Verify if the application logs in as admin
     checkAuthentication("admin")

2. Manipulating Values:

   • Payload:

     Copy

     /order?item=book&item=laptop

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("/order?item=book&item=laptop")
     # Verify if the application processes both items
     checkOrderItems(["book", "laptop"])

3. Changing Logic:

   • Payload:

     Copy

     /action?role=admin&role=user

   • Test Case:

     Copy

     # Send payload to the server
     sendPayloadToServer("/action?role=admin&role=user")
     # Verify if the application processes the first or last role
     checkRoleProcessing(["admin", "user"])

Mitigation

1. Parameter Validation:

   • Validate parameters to ensure they are unique and meet expected criteria.

   • Reject requests with duplicate parameters.

2. Use a Single Parameter Source:

   • Use a single source of parameters (e.g., query string, POST body) to avoid confusion.

   • Avoid mixing parameters from different sources.

3. Sanitize Input:

   • Sanitize and normalize parameter input to prevent unexpected behavior.

   • Implement strict parameter parsing and validation.

4. Framework Protections:

   • Use frameworks and libraries that automatically handle parameter pollution.

   • Enable built-in protections against parameter pollution vulnerabilities.