HTTP Parameter Pollution (HPP)
Written by Ulises Gascón
Apr 08, 2020 — 2 min readThe Attack
There are some corner cases that the HTTP Specification doesn't cover like HTTP Parameter Pollution or HTTP.
Check out this code:
const express = require('express')
const app = express()
app.get('/films', (req, res) => res.json(req.query))
app.listen(8080, () => console.log('Check http://localhost:8080'))
Check out the responses:
http://localhost:8080/films
{}
http://localhost:8080/films?actor=Me
{"actor":"Me"}
http://localhost:8080/films?actor=Me&director=You
{"actor":"Me","director":"You"}
http://localhost:8080/films?actor=Me&actor=You
{"actor":["Me","You"]}
In the case of Express if the query param is redefined again we will receive an array, this can lead to many unexpected scenarios like:
- Type Errors uncaught that can lead to DoS attacks
- Unexpected data that can modify the behavior of our application
The solution
- Check the expected type and implement a strong error handling mechanism.
const express = require('express')
const app = express()
app.get('/films', (req, res) => {
const { query } = req
let actor = Array.isArray(query.actor) ? query.actor[0] : query.actor;
res.send(`The actor is ${actor}`)
})
app.listen(8080, () => console.log('Check http://localhost:8080'))
http://localhost:8080/films?actor=Me
The actor is Me
http://localhost:8080/films?actor=Me&actor=You
The actor is Me