HTTP allows multiple parameters with the same name, both in the GET
and POST
methods. The HTTP standards neither explain nor have rules set on how to interpret multiple input parameters with the same name—whether to accept the last occurrence of the variable or the first, or use it as an array.
In the following example, the POST
request is as per the standard. The only difference is that the item_id
variable has both num1
and num2
as values:
item_id=num1&item_id=num2
Although it is acceptable as per HTTP protocol standard, the way the different web servers and development frameworks handle multiple parameters vary. The unknown process of handling multiple parameters often lead to security issues. This unexpected behavior is known as HTTP parameter pollution. Following screenshot shows this behavior:
Major web application frameworks / web server and their response to duplicate parameters are shown in the following table:
Framework/Web server |
Resulting action |
Example... |
---|