Possible HTTP Parameter Pollution detected


Unsanitized user input is being used to construct a URL. This can lead to HTTP Parameter Pollution (HPP) attacks, where an attacker overrides the value of a URL or request parameter, to manipulate requests or retrieve otherwise hidden information.


❌ Never use direct or unsanitized user input when constructing URLs or URL parameters. Seek alternatives instead.

For example, use a map to convert user input to an appropriate parameter.

  HashMap<String, String> lookupTable = new HashMap<>();
// ... populate hash map
String rawUserInput = request.getParameter("someParam")

String value = lookupTable.getOrDefault(rawUserInput, "someDefault") ;
HttpGet httpget = new HttpGet("https://example.com/?param="+value);

✅ Always sanitize user input

  String rawUserInput = request.getParameter("someParam");
String encoded = java.net.URLEncoder.encode(rawUserInput, StandardCharsets.UTF_8);

Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_http_parameter_pollution

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_http_parameter_pollution

Ready to take the next step? Learn more about Bearer Cloud.