Countermeasures
- Because the intentions and objective of the attacker are to send malicious data, a countermeasure should prevent the body of an HTTP request to be placed in a different request.
- A common response to Client-Side HTTP Parameter Pollution is “URL encoding”. It consists of escaping all HTML entities before performing any parameter replacement on the resulting string.
- However, this can be a performance bottleneck, especially when the application generates a large amount of dynamically generated content.
- An alternative approach is “HTTP response splitting”, which results in two HTTP responses: one for the “normal” browser rendering, and one for all other requests.
Client-Side HTTP Parameter Pollution Attack
Client-Side HTTP Parameter Pollution is a client-side security vulnerability in web applications designed to use HTTP requests. HTTP parameter pollution exploits the ability of HTTP methods such as POST, PUT and DELETE to send additional data with a request. This allows attackers to inject arbitrary HTML code which will be processed by the vulnerable application as part of its normal operation. The vulnerability specifically targets web frameworks that facilitate the development of SPAs (Single Page Applications) where content can be dynamically generated before page rendering or in response to user actions.