Menu
I read about it here https://www.npmjs.com/package/hpp
It says : "Express populates http request parameters with same name in an array. Attacker can pollute request parameters to exploit this mechanism"
I don't understand what mechanism the Attacker can use ?
646
What they say is that the mechanism of transforming a simple value parameter into an array parameter can be exploited.
If you expect name to be a string:
?name=hello
They can transform it into an array like this:
?name=hello1&name=hello2
You will not get a string but an array:
[ "hello1", "hello2" ]
This mechanism is implicit and thus can be forced by the user even when you do NOT want an array but a string.
This is all they say. From there, several consequences may ensue based on what your code actually does. To protect against it, you should probably check that strings are strings and arrays are arrays. Here comes the ever-lasting adage of security:
Never trust the user, never trust input.
Repeat 10 times a day.
187
answered Feb 16 '23 00:02
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With