Details
Alert Id 20014
Alert Type Active
Status beta
Risk Informational
CWE 20
WASC 20
Technologies Targeted All
Tags OWASP_2017_A01
OWASP_2021_A03
WSTG-V42-INPV-04

Summary

HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.

Solution

Properly sanitize the user input for parameter delimiters

References

Code

org/zaproxy/zap/extension/ascanrulesBeta/HttpParameterPollutionScanRule.java