HTTP Parameter Pollution (HPP)

The Attack

There are some corner cases that the HTTP Specification doesn't cover like HTTP Parameter Pollution or HTTP.

Check out this code:

const express = require('express')
const app = express()

app.get('/films', (req, res) => res.json(req.query))

app.listen(8080, () => console.log('Check http://localhost:8080'))

Check out the responses:

http://localhost:8080/films

{}

http://localhost:8080/films?actor=Me

{"actor":"Me"}

http://localhost:8080/films?actor=Me&director=You

{"actor":"Me","director":"You"}

http://localhost:8080/films?actor=Me&actor=You
{"actor":["Me","You"]}

In the case of Express if the query param is redefined again we will receive an array, this can lead to many unexpected scenarios like:

Type Errors uncaught that can lead to DoS attacks
Unexpected data that can modify the behavior of our application

The solution

Check the expected type and implement a strong error handling mechanism.

const express = require('express')
const app = express()

app.get('/films', (req, res) => {
  const { query } = req
  let actor = Array.isArray(query.actor) ? query.actor[0] : query.actor
  res.send(`The actor is ${actor}`)
})

app.listen(8080, () => console.log('Check http://localhost:8080'))

http://localhost:8080/films?actor=Me
The actor is Me

http://localhost:8080/films?actor=Me&actor=You
The actor is Me

Refs

ckarande | Top Overlooked Security Threats to Node.js Web Applications | HPP

The Attack​

The solution​

Refs​

The Attack

The solution

Refs