HTTP Parameter Pollution

HTTP Parameter Pollution (HPP) occurs when an attacker sends multiple values for the same parameter. Different web frameworks parse these duplicates differently, enabling logic bypass.

Parsing differences:

Request: GET /transfer?amount=100&amount=99999

Flask (Python):   request.args.get("amount") → "100" (first)
Django:           request.GET["amount"] → "99999" (last)
PHP:              $_GET["amount"] → "99999" (last)
Express (Node):   req.query.amount → ["100","99999"] (array)

Attack scenario (WAF bypass):

GET /search?q=normal&q=<script>alert(1)</script>

A WAF may check only the first parameter value and find it clean, while the backend uses the last value containing the XSS payload.

HPP is also used in OAuth attacks by duplicating the redirect_uri parameter when servers parse differently from each other.

Prevent HPP by being explicit about how you extract parameters and by rejecting requests containing duplicate parameters for sensitive operations.

Explicit extraction (Node.js/Express):

app.get("/transfer", (req, res) => {
  // Explicitly reject if amount is an array (duplicated)
  const amount = req.query.amount;
  if (Array.isArray(amount)) {
    return res.status(400).json({ error: "Duplicate parameter not allowed" });
  }
  const parsed = parseInt(amount, 10);
  if (isNaN(parsed) || parsed <= 0) {
    return res.status(400).json({ error: "Invalid amount" });
  }
  // proceed with transfer
});

Defense checklist:

• Explicitly check for and reject duplicate parameters in sensitive endpoints
• Use typed input parsing that rejects arrays for scalar parameters
• Ensure WAF and application backend parse parameters consistently
• Log and alert on requests with duplicate parameters