Injection: Frontend HTTP Parameter Pollution¶
Identifier:
http_param_pollution
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
HTTP Parameter Pollution occurs when an application accepts and processes multiple HTTP parameters with the same name without proper handling, allowing attackers to inject additional parameters into requests and potentially bypass input validation, access controls, or alter application behavior.
How we test: We send requests with duplicate parameter names to test how the application handles them. Different web technologies handle duplicate parameters differently, and we analyze the response to detect if parameter pollution can be exploited to manipulate application logic.
References:
- https://en.wikipedia.org/wiki/HTTP_parameter_pollution
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.