← Lessons

quiz vs the machine

Silver1280

Security

HTTP Parameter Pollution

When duplicate parameters are parsed inconsistently across components.

4 min read · core · beat Silver to climb

The Confusion

HTTP parameter pollution sends the same parameter name more than once, exploiting the fact that different components pick a different occurrence. A proxy might read the first value while the application reads the last, opening a gap between what was checked and what runs.

Why It Matters

  • A security filter may validate one copy of a parameter while business logic uses another.
  • It can bypass input validation, alter access control decisions, or smuggle injection payloads.
  • Frameworks differ on whether duplicates become the first, the last, or a combined list.

Defenses

  • Decide on a single canonical way to read each parameter and reject unexpected duplicates.
  • Validate the exact value the application will use, not a different occurrence.
  • Keep parsing consistent across every layer that inspects the request.

Key idea

Parameter pollution thrives on inconsistent parsing of duplicates, so reject unexpected duplicates and validate the exact value the application consumes.

Check yourself

Answer to earn rating on the learn ladder.

1. What does HTTP parameter pollution exploit?

2. Which defense reduces the risk?