HTTP parameter pollution in Express can aid attackers in bypassing security filters.

If this is the first time you’re hearing this term, HTTP Parameter Pollution aka HPP, then you need to read the links given below, to get an idea on what HPP can really do to a web application.

TL;DR:

If you give a query as ?name=123&name=abc
Then express returns 123,abc

Here are the links

With that being said, lets look at how popular web applications treat the same problem.

params

Apparently, only ASP and a few others spit back all the occurrences of the the same parameter name value.

Provided, express is the de-facto nodejs web app framework, I think its about time we take this seriously and make sure that only one of the parameter name is harnessed. Either the first or the last occurrence would do.

Author: Fantashit

1 thought on “HTTP parameter pollution in Express can aid attackers in bypassing security filters.

Comments are closed.