HTTP Parameter Override

This detector identifies HTML forms that do not specify an action URL, making them vulnerable to HTTP parameter override attacks. When the action attribute is missing, the form submits to the current URL, allowing attackers to manipulate request parameters. This is a known vulnerability in Java Servlets but affects other platforms as well.

Forms without explicit action URLs submit to the current request URL, including any query parameters. Attackers craft malicious links with embedded parameters that override form values during submission, potentially bypassing security controls or modifying application logic. For example, an attacker could inject admin=true into the URL, which gets processed alongside legitimate form data, enabling privilege escalation or unauthorized actions.

Explicitly specify the action URL in all HTML forms using the action attribute. Ensure the action points to the intended endpoint and does not rely on default behavior. Additionally, validate and sanitize all input parameters on the server side, and implement proper access controls to prevent unauthorized parameter manipulation from affecting application logic.