HTTP Parameter Pollution

Need

Prevent unexpected behavior due to injection of extra HTTP parameters

Context

• Usage of Elixir for building scalable and fault-tolerant applications

• Usage of Plug Cowboy for building web applications in Elixir

• Usage of HTTP parameter validation

• Usage of input sanitization for protecting against malicious user input

Description

1. Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
  end...

This Elixir code is vulnerable because it does not perform validation and sanitization on the incoming parameters. This allows injection of extra parameters which can cause unexpected behavior.

2. Steps

• Validate the incoming parameters to ensure they are as expected.

• Sanitize the parameters to remove any potential harmful data.

3. Secure code example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  get "/" do
    name = String.replace(name, "<>", "")...

This Elixir code is safe because it includes validation and sanitization of incoming parameters. It checks that the 'name' parameter exists and removes any potential harmful data.

References

• 121. HTTP Parameter Pollution

On this page