Skip to main content

HTTP parameter pollution

Need

Prevention of HTTP parameter pollution

Context

  • Usage of Java for building cross-platform applications
  • Usage of javax.servlet for building Java web applications with Servlet technology
  • Usage of javax.servlet.http for handling HTTP requests and responses in Java Servlets

Description

Non compliant code

import javax.servlet.*;
import javax.servlet.http.*;

public class VulnerableServlet extends HttpServlet {

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String param1 = request.getParameter("param1");
        String param2 = request.getParameter("param2");

        // Process the parameters
        // ...
    }
}

In the above code, the doGet method of the VulnerableServlet class is accepting HTTP GET requests and retrieving the values of "param1" and "param2" parameters from the request.

This code is vulnerable to HTTP Parameter Pollution (HPP) attacks. An attacker can inject extra, unexpected parameters into the HTTP request, which can cause unexpected behavior in the application.

For example, an attacker could send a request like http://example.com/servlet?param1=value1&param2=value2&param1=evilValue. The application may process "param1" twice, first with "value1", and then with "evilValue". Depending on how the application uses these parameters, this could lead to various security issues, such as bypassing input validation, altering application logic, or even SQL Injection if the parameters are used in a SQL query.

The problem here is that the code does not check if there are extra parameters in the request, and does not handle the case where the same parameter is present multiple times.

Steps

  • Validate and sanitize all incoming parameters before processing them.
  • Implement a whitelist approach to only allow specific parameters to be processed.
  • Use a framework or library that handles parameter validation and sanitization automatically.
  • Implement input validation to ensure that the parameters meet the expected format and constraints.
  • Implement proper error handling and logging to detect and respond to any unexpected behavior caused by parameter pollution.
  • Regularly update and patch the application and its dependencies to ensure that any known vulnerabilities are addressed.

Compliant code

import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;

public class SecureServlet extends HttpServlet {

    // Define a list of allowed parameters
    private static final List<String> ALLOWED_PARAMS = Arrays.asList("param1", "param2");

    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        
        Enumeration<String> parameterNames = request.getParameterNames();

        while (parameterNames.hasMoreElements()) {
            String paramName = parameterNames.nextElement();

            // Validate the parameter name
            if (!ALLOWED_PARAMS.contains(paramName)) {
                throw new ServletException("Invalid parameter: " + paramName);
            }

            String[] paramValues = request.getParameterValues(paramName);

            // Validate the parameter values
            for (String paramValue : paramValues) {
                if (!isValid(paramValue)) {
                    throw new ServletException("Invalid parameter value: " + paramValue);
                }
            }
        }

        // Process the parameters
        // ...
    }

    // Implement a method to validate the parameter values
    private boolean isValid(String paramValue) {
        // Add your validation logic here
        // For example, check if the value is alphanumeric and does not contain any special characters
        return paramValue.matches("[a-zA-Z0-9]*");
    }
}

The above code fixes the HTTP parameter pollution vulnerability by implementing a whitelist approach and validating all incoming parameters before processing them.

Firstly, a list of allowed parameters is defined. This list is used to validate the names of all incoming parameters. If a parameter name is not in the list, a ServletException is thrown.

Secondly, for each valid parameter, all its values are validated using a custom isValid method. This method should contain the validation logic specific to your application. In this example, it checks if the value is alphanumeric and does not contain any special characters. If a parameter value is not valid, a ServletException is thrown.

This approach ensures that only specific parameters are processed and that their values meet the expected format and constraints. It also provides proper error handling to detect and respond to any unexpected behavior caused by parameter pollution.

Remember to regularly update and patch your application and its dependencies to ensure that any known vulnerabilities are addressed.

References

Last updated on