Summary

Netsparker detected that the website is vulnerable to client-side HTTP Parameter Pollution (HPP). 

 

HPP occurs when a target system accepts multiple parameters with the same name and handles them in a manner that might be insecure or unexpected.  

 

When multiple parameters with the same name are sent to a server, different languages and frameworks handle these parameters in a different way whereas some systems like PHP/Apache process only the last occurrence of the repeated parameters. ASP.NET/IIS, on the other hand, combines them with commas. 

 

For instance:

http://www.example.com/?color=red&color=blue

 

PHP/Apache:

PHP/Apache will process only the last occurrence of the parameter color: "blue" 

 

ASP.NET/IIS:

ASP.NET/IIS will concatenate all parameter values with commas: param=red, blue 

 

JSP, Servlet, Apache Tomcat

This stack will take the first occurrence of the parameter "color". Therefore its value will be red.

Impact

Whether or not HPP constitutes a serious vulnerability depends on the specific applications code. The impact can range from bypassing filters, security control mechanisms to changing application flow. Additionally, an attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checks, and access and possibly exploit variables that may be out of direct reach for an attacker.

Remediation

All user-supplied data, which is reflected in the HTML source code of the HTTP response, should be encoded according to the context in which they are reflected. For example by using URL-encoding in attributes that input is reflected, instead of HTML entities. 

Classifications
OWASP 2013-A1, OWASP 2017-A1 , CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

OR

Search Vulnerability

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO