What is HTTP Parameter Pollution in NodeJS / ExpressJs
I read about it here https://www.npmjs.com/package/hpp
It says, "Express fills in HTTP request parameters with the same name in an array. An attacker could pollute the request parameters in order to use this mechanism."
I don't understand what mechanism an attacker can use?
source to share
They say that a mechanism can be used to convert a simple value parameter to an array parameter.
If you expect to name
be a string:
?name=hello
They can convert it to an array like this:
?name=hello1&name=hello2
You won't get a string, but an array:
[ "hello1", "hello2" ]
This mechanism is implicit and therefore can be forced by the user even if you do NOT want an array, but a string.
That's all they say. From there, several consequences can occur based on what your code is actually doing. To protect it, you should probably check that strings are strings and arrays are arrays. Here goes the constant adage of safety:
Never trust the user, never trust the inputs.
Repeat 10 times a day.
source to share