HTTP Parameter Pollution
ID |
php.http_parameter_pollution |
Severity |
high |
Resource |
Injection |
Language |
Php |
Tags |
CWE:235, NIST.SP.800-53, OWASP:2021:A3, PCI-DSS:6.5.1 |
Description
Improper neutralization of special elements into path, query string, or parameters of HTTP requests
Rationale
HTTP Parameter Pollution occurs when a web application inadequately handles parameters that are included in an HTTP request. By injecting additional parameters into a query string or request body, an attacker can manipulate the request path and parameters to override intended behavior or bypass certain validations, potentially accessing unauthorized data or altering application logic.
In contrast to Server-Side Request Forgery (SSRF), where an attacker controls the full request URL including the host and port, HPP focuses on manipulating parts like the path, query, or fragment of the URL. Common attack vectors exploit characters such as "&" to inject additional parameters, "../" to alter the path, ";" to add matrix parameters, and "#" to truncate URL components.
Consider the following PHP snippet:
</php
$url = 'http://myserver/path?';
$fullurl = $url . 'param=' . $_POST['param'];
$data = file_get_contents($fullurl); // FLAWIn this example, user input ($url) is concatenated directly into the URL without validation. With an HPP attack, an attacker could manipulate the $url parameter by setting a malicious value, potentially altering the intended REST API interaction with unintended HTTP methods or paths.
Remediation
To remediate HTTP Parameter Pollution vulnerabilities, implement the following practices:
-
Input Validation and Encoding: Validate user input rigorously. Use encoding to ensure any special characters in input are safely included in URLs, preventing them from manipulating the request structure.
-
Parameter Handling: Instead of constructing URLs via string concatenation, utilize URI building classes (e.g., Spring’s
UriComponentsBuilder) to safely handle and encode all parts of the URL, ensuring parameter integrity. -
Secure Framework Configuration: Consider using framework settings that limit or restrict parameter resolution from multiple sources, and ensure only expected parameters are processed.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-235 : Improper Handling of Extra Parameters.
-
OWASP - Top 10 2021 Category A04 : Insecure Design