How to Fix HTTP Parameter Pollution Vulnerabilities
In this tutorial, you'll learn about How to Fix HTTP Parameter Pollution Vulnerabilities. We cover key concepts, practical examples, and best practices.
HTTP Parameter Pollution (HPP) vulnerabilities occur when an attacker sends multiple HTTP parameters with the same name, exploiting differences in how web servers, proxies, and application frameworks handle duplicate parameters to bypass security controls.
Quick Fix
Wrong
app.get("/api/users", [](Request& req, Response& res) {
int limit = std::stoi(req.param("limit")); // gets first value
// ...
});
If the URL is /api/users?limit=10&limit=1000&admin=false&admin=true, different components may interpret the parameters differently.
Right
app.get("/api/users", [](Request& req, Response& res) {
auto limits = req.params("limit"); // get all values
if (limits.size() > 1) {
res.status(400).send("Duplicate parameters");
return;
}
int limit = std::stoi(limits[0]);
// ...
});
Fix with parameter validation
bool hasDuplicateParams(const Request& req,
const std::set<std::string>& checked) {
for (const auto& key : checked) {
if (req.params(key).size() > 1) return true;
}
return false;
}
if (hasDuplicateParams(req, {"limit", "offset", "admin"})) {
res.status(400).send("Duplicate parameters rejected");
return;
}
Fix for security-sensitive params
app.post("/transfer", [](Request& req, Response& res) {
// Only accept the first value for sensitive fields
std::string to = req.param("to"); // first value
double amount = std::stod(req.param("amount"));
// Check for duplicates and reject
if (req.params("to").size() > 1 ||
req.params("amount").size() > 1) {
res.status(400).send("Invalid request");
return;
}
executeTransfer(req.session.userId, to, amount);
});
Fix with strict parsing mode
// Enable strict parameter parsing
app.setParamParsing(StrictMode::RejectDuplicates);
Prevention
- Reject requests with duplicate parameters for sensitive operations.
- Use a consistent parameter parsing strategy across all layers.
- Document expected parameter behavior in API specifications.
- Validate that each parameter appears exactly once for critical fields.
- Test with duplicate parameters in security testing.
DodaTech Tools
Doda Browser's HPP scanner sends requests with duplicate parameters to identify inconsistent parsing. DodaZIP archives API request logs for forensic analysis. Durga Antivirus Pro detects HPP attacks in HTTP traffic.
Common Mistakes with parameter pollution
- Forgetting
deriving (Show, Eq)on custom data types needed for debugging - Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
- Using
headandtailinstead of pattern matching, causing runtime errors on empty lists
These mistakes appear frequently in real-world HTTP code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro