Possible HTTP Parameter Pollution detected


Using unsanitized user input to construct a URL can lead to HTTP Parameter Pollution (HPP) attacks. In such attacks, an attacker can manipulate the URL or request parameters to alter requests or access hidden information.


  • Do not use direct or unsanitized user input when constructing URLs or URL parameters.
  • Do use alternative and safe methods to incorporate user input when constructing URLs. For example, a lookup table.
    HashMap<String, String> lookupTable = new HashMap<>();
    // ... populate hash map
    String rawUserInput = request.getParameter("someParam");
    String value = lookupTable.getOrDefault(rawUserInput, "someDefault");
    HttpGet httpget = new HttpGet("https://example.com/?param=" + value);
  • Do sanitize user input before using it in your URLs. This step ensures that any harmful characters or attempts to manipulate the URL are neutralized.
    String rawUserInput = request.getParameter("someParam");
    String encoded = java.net.URLEncoder.encode(rawUserInput, StandardCharsets.UTF_8);

Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_http_parameter_pollution

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_http_parameter_pollution