HTTP Parameter Pollution (HPP)

Written by Ulises Gascón

Apr 08, 20202 min read

The Attack

There are some corner cases that the HTTP Specification doesn't cover like HTTP Parameter Pollution or HTTP.

Check out this code:

const express = require('express')
const app = express()

app.get('/films', (req, res) => res.json(req.query))

app.listen(8080, () => console.log('Check http://localhost:8080'))

Check out the responses:

http://localhost:8080/films
{}
http://localhost:8080/films?actor=Me
{"actor":"Me"}
http://localhost:8080/films?actor=Me&director=You
{"actor":"Me","director":"You"}
http://localhost:8080/films?actor=Me&actor=You
{"actor":["Me","You"]}

In the case of Express if the query param is redefined again we will receive an array, this can lead to many unexpected scenarios like:

  • Type Errors uncaught that can lead to DoS attacks
  • Unexpected data that can modify the behavior of our application

The solution

  • Check the expected type and implement a strong error handling mechanism.
const express = require('express')
const app = express()

app.get('/films', (req, res) => {
    const { query } = req
    let actor = Array.isArray(query.actor) ? query.actor[0] : query.actor;
    res.send(`The actor is ${actor}`)
})

app.listen(8080, () => console.log('Check http://localhost:8080'))
http://localhost:8080/films?actor=Me
The actor is Me
http://localhost:8080/films?actor=Me&actor=You
The actor is Me

Refs