Security Test: Frontend HTTP Parameter Pollution¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

HTTP Parameter Pollution (HPP) occurs when an application accepts and processes multiple HTTP parameters with the same name without proper handling. This vulnerability allows attackers to inject additional parameters into requests, potentially bypassing input validation, access controls, or altering application behavior. Different web technologies handle duplicate parameters differently - some use the first occurrence, others the last, and some concatenate all values. This inconsistency can be exploited to manipulate application logic.

Reference:

https://en.wikipedia.org/wiki/HTTP_parameter_pollution
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution

Configuration¶

Identifier: frontend_injection/http_param_pollution

Examples¶

All configuration available:

checks:
  frontend_injection/http_param_pollution:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API10:2023
OWASP LLM Top 10	LLM01:2023
PCI DSS	`6.5.7`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-4`
CWE	`20`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C`
CVSS Score	`7.2`