Uncommon query string parameter

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 OWASP 2019-API7 PCI v3.1-6.5.4 OWASP PC-C10 CWE-598 ISO27001-A.14.2.5 WASC-13 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N WSTG-INPV-04

There are applications that supplying multiple HTTP parameters with the same name. This method to supply HTTP parameters might cause the application to interpret values in an unanticipated way. By exploiting this bug, an attacker can easily bypass any input validation. The attacker can also modify internal variables of the application to trigger internal application error. These conditions can cause catastrophic effects on the server. If query strings are not passed in a secure way to the URL, the attacker can get sensitive information about the user and the application. The sensitive information includes usernames, passwords, tokens (authX), database details, and the other potentially sensitive data.


The following link is an example of a query string.



The following are the impacts of this vulnerability:-

  • The attacker can leak sensitive information about the server and the end users.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement proper input validation for fields like forms, headers and many more.
  • Try to accept parameters only where they are supposed to be supplied.
  • Ensure that the application encodes the user-supplied input whenever possible with GET/POST HTTP request to the HTTP backend.

Latest Articles