Client Side Vulnerabilities / Client-Side HTTP Parameter Pollution

Description

Client-side HTTP parameter pollution (CWE-20) is a type of web application vulnerability that occurs when user-supplied parameters are used to manipulate the intended logic of a web application. The attacker can inject additional HTTP parameters into a single HTTP request, which can be used to manipulate the application's behaviour. By injecting additional parameters, the attacker can gain access to application data and control the application's behaviour. This type of attack is commonly seen in web and API applications, and can be used to bypass authentication, gain access to sensitive data, and modify application behaviour. The Common Weakness Enumeration (CWE) directory defines the vulnerability in detail. Additionally, the OWASP Testing Guide provides more information on how to test for this type of vulnerability.

Risk

Client-side HTTP parameter pollution is a high-risk vulnerability as it allows an attacker to modify application behaviour and gain access to sensitive data. Furthermore, this type of attack is difficult to detect as it can be difficult to differentiate between legitimate requests and malicious requests.

Solution

The best way to protect against this type of attack is to validate user input and filter out any suspicious requests. Additionally, it is important to ensure that authentication is performed on the server-side and not based on user-supplied parameters.