This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

HTTP Parameter Pollution

Posted on 08-17-2022 08:16 AM
nmarkevich
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi there,

According to the Apigee docs, Javascript policy can be used to rewrite the target url.

However, the solution provided in docs is vulnerable to HTTP parameter pollution, since Apigee decodes all parameters extracted either via ExtractVariables policy or via request.* object.

Moreover, an attacker can add hash ("#") which may result to unexpected behavior of target system, since part of the target request query may be omitted.

And as I see, many developers rely on this solution 😢.

To mitigate the issue above please add a statement about url encoding before constructing target url

 

 

0 9 413
Topic Labels
0 Likes
9 REPLIES 9
Top Solution Authors
View all