I read about it here
It says : "Express populates http request parameters with same name in an array. Attacker can pollute request parameters to exploit this mechanism"
I don't understand what mechanism the Attacker can use ?
I read about it here https://www.npmjs./package/hpp
It says : "Express populates http request parameters with same name in an array. Attacker can pollute request parameters to exploit this mechanism"
I don't understand what mechanism the Attacker can use ?
Share Improve this question asked Jun 5, 2015 at 17:31 user310291user310291 38.2k86 gold badges292 silver badges518 bronze badges1 Answer
Reset to default 18What they say is that the mechanism of transforming a simple value parameter into an array parameter can be exploited.
If you expect name to be a string:
?name=hello
They can transform it into an array like this:
?name=hello1&name=hello2
You will not get a string but an array:
[ "hello1", "hello2" ]
This mechanism is implicit and thus can be forced by the user even when you do NOT want an array but a string.
This is all they say. From there, several consequences may ensue based on what your code actually does. To protect against it, you should probably check that strings are strings and arrays are arrays. Here es the ever-lasting adage of security:
Never trust the user, never trust input.
Repeat 10 times a day.