Injection: Frontend HTTP Parameter Pollution¶

Identifier: http_param_pollution

Scanner(s) Support¶

Description¶

HTTP Parameter Pollution (HPP) occurs when an application accepts and processes multiple HTTP parameters with the same name without proper handling. This vulnerability allows attackers to inject additional parameters into requests, potentially bypassing input validation, access controls, or altering application behavior. Different web technologies handle duplicate parameters differently - some use the first occurrence, others the last, and some concatenate all values. This inconsistency can be exploited to manipulate application logic.

References:

• https://en.wikipedia.org/wiki/HTTP_parameter_pollution
• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution

Configuration¶

Example¶

Example configuration:

---
security_tests:
  http_param_pollution:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

assets_allowed¶

Type : List[AssetType]*

List of assets that this check will cover.

skip¶

Type : boolean

Skip the test if true.