DEV Community

Poorshad Shaddel
Poorshad Shaddel

Posted on • Originally published at levelup.gitconnected.com on

Prevent Parameter Pollution in Node.JS

HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having the same name.


Parameter Pollution

What is Parameter Pollution?

HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no RFC standard on what should be done when passed multiple parameters.(Wikipedia)

How Node.JS (Express) Reacts to Parameter Pollution

There are various ways of passing parameters in order to cause a problem and we can see the list of some possible ways in this table:


Different ways of passing parameters

Now that we are cognizant of various forms and problems that someone can cause by passing parameters we can say that we must take it seriously. Let’s see how validators react to parameter pollution:

Two Node.JS Validators Reaction to Parameter Pollution

1-express-validator

This library is one of the most common Javascript libraries and it is built on top of the validatorjs library.

We have a simple express server that we want to send the email and after validating that we want to do something:

https://medium.com/media/2bd7079f8e8a6be13f98360ffb59458a/href

What happens when we try to pollute the parameters?


Result of request

As you can see if we pass the first parameter a valid email we can bypass the validation and guess what I have on my console (line 9 of the code)?


Console Log Result

Now we have an invalid email that might be saved into the database. Let’s hope that the attacker is sending I'm malware or something like alert("I'm a happy hacker") .

You might argue that we are going to send POST method and not get so this is the POST method example:

https://medium.com/media/0c0439820a911fb2c5366d9149ec2cfb/href

Let’s see what is the result this time:


Post Request HPP Result

As you expect the email log is { email: [‘test@gmail.com’, “I’m the same malware” ] }

2- Joi

Joi is another popular validation library. Let’s see how Joi reacts in the same situation:

https://medium.com/media/9ed0ab6a96f79b3b6feef981756ca26b/href

Let’s see the result


Joi validation result

As we can see Joi understands that this is not a string. Also if we use validator.js directly we are going to see a result like this and the problem of the former examples was express-validator.

How can we prevent parameter pollution?

We have two ways:

  • Using a library
  • Implement our own function

There is a useful library(unfortunately it seems that it is not maintained regularly) called hpp

Using it is a walk in the park and we can use it by adding it as a middle-ware to our express app:

app.use(hpp());
Enter fullscreen mode Exit fullscreen mode

After adding this line, if we pass a parameter more than once it changes the query to this:

GET /search?firstname=John&firstname=Alice&lastname=Doe

=>

req: {
    query: {
        firstname: 'Alice',
        lastname: 'Doe',
    },
    queryPolluted: {
        firstname: ['John', 'Alice']
    }
}
Enter fullscreen mode Exit fullscreen mode

It moves that parameter to queryPolluted and takes the last value.

Also you can add an exception since sometimes we want to pass an array.

What can we implement to prevent Parameter Pollution?

let’s implement a simple middle-ware:

https://medium.com/media/e94c77c3b8aa0f04d336392fd5e106b1/href

hppProtector is the middleware that is accountable to handle hpp. We simply iterate over the parameters and if the type is not string we check that, if the type is array we are choosing the first one(We could choose the last one too), if the type is object we send a bad request error because the user is sending something like this: email[as][ds]=something . This is just a simple example, do not rely on that.

Let’s see what happens when we send requests:


Simple HPP Implementation Result

In this case, the parameter generates an object and we send bad parameters error.

Let’s send a parameter more than once:


Passing One Parameter more than once to our HPP Implementation

The result of req.query.email is test@gmail.com since we use the first element of the array.

Summary

Parameter Pollution is a vulnerability that occurs due to passing of multiple parameters having same name. Some validation libraries are vulnerable to this kind of attack so we should handle this attacks using a library or our own implementation.

Nodejs Security - OWASP Cheat Sheet Series


Top comments (0)