Hello to all.
I do not know if this is just a problem for my current project, but we are facing a HTTP pollution problem with the native category and tag facet.
Liferay uses multiple parameter replications on his native search facets, as showed below with the category facet:
https://<hostname>/search?q=retirement&category=42152&category=42158
The problem is that the client’s WAF blocks all parameter replication, using OWASP best practices triggering the HTTP Parameter Pollution (HPP) vulnerability:
- ID WSTG-INPV-04 (https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/… )
After presenting this findings to support, I’ve got an answer from the product team that the behaviour reported is not a security vulnerability but the expected one and that the search functionality has been working the same way since 7.1 and none has been reported/found since then.
Does anyone had this same issue?
Is it the WAF being excessively cautious?
Thank you.