Parameter pollution is an attack technique where an attacker supplies multiple HTTP parameters with the same name in a single request. Because different web servers, frameworks, and application layers handle duplicate parameters differently, this inconsistency can be exploited to bypass input validation, override values, or manipulate application logic in unintended ways.
How It Works
When a web application receives a request like ?role=user&role=admin, the behavior depends entirely on the technology stack. Some frameworks take the first occurrence, others take the last, and some concatenate all values. An attacker exploits this by understanding how the front-end validation layer handles parameters versus how the back-end processing layer handles them. If a web application firewall checks the first role parameter and finds it safe, but the application server uses the last one, the attacker can slip a malicious value through undetected.
There are two main variants. Server-side parameter pollution (SSPP) targets the server's handling of duplicate parameters within a single request. Client-side parameter pollution targets URL parameters that get reflected into links or forms on the page, potentially manipulating actions that other users take. Both variants exploit the gap between what security controls validate and what the application actually processes.
Consider a password reset flow that sends a request to /reset?email=victim@example.com. If an attacker appends &email=attacker@example.com and the application's mail function uses the last parameter value while the logging function uses the first, the reset token could be sent to the attacker's address while the log shows only the legitimate email.
Why It Matters
Parameter pollution attacks are effective precisely because they exploit inconsistencies between system components rather than a single vulnerability. Traditional input validation often fails to account for duplicate parameters, and many security controls only examine one instance of each parameter name. During security assessments, testing for parameter pollution frequently reveals bypass opportunities in authentication flows, access controls, and payment processing logic that other testing methods miss entirely.
Need your application tested? Get in touch.