Possible HTTP Parameter Pollution detected

Rule ID: java_lang_http_parameter_pollution
Languages: java
Source: http_parameter_pollution.yml

Description

Using unsanitized user input to construct a URL can lead to HTTP Parameter Pollution (HPP) attacks. In such attacks, an attacker can manipulate the URL or request parameters to alter requests or access hidden information.

Remediations

Do not use direct or unsanitized user input when constructing URLs or URL parameters.

Do use alternative and safe methods to incorporate user input when constructing URLs. For example, a lookup table.

HashMap<String, String> lookupTable = new HashMap<>();
// ... populate hash map
String rawUserInput = request.getParameter("someParam");
String value = lookupTable.getOrDefault(rawUserInput, "someDefault");
HttpGet httpget = new HttpGet("https://example.com/?param=" + value);

Do sanitize user input before using it in your URLs. This step ensures that any harmful characters or attempts to manipulate the URL are neutralized.
```
String rawUserInput = request.getParameter("someParam");
String encoded = java.net.URLEncoder.encode(rawUserInput, StandardCharsets.UTF_8);
```

Associated CWE

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

OWASP Top 10

A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_http_parameter_pollution

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_http_parameter_pollution