Anticipating malicious input
One of the easiest groups of vulnerabilities that hackers exploit is injection attacks, with SQL injection attacks being particularly common. SQL injection attacks are where an attacker injects malicious SQL into an application to delete, distort, or expose data stored in the database.
If an application accepts input in any form, you need to take necessary precautions to ensure that malicious inputs cannot exploit your application.
Parameter pollution is a type of injection attack where the HTTP parameters of a web application’s HTTP endpoints are injected with specific malicious input. HTTP parameter pollution can be used to expose internal data or even cause a denial of service (DoS) attack, where an attacker tries to interrupt a resource and render it inaccessible to the resource’s intended users.
In this recipe, we’ll look at how we can protect an HTTP server against parameter pollution attacks. Parameter pollution attacks...