BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.

Improper Handling of Extra Parameters

🛡️ 2 rules detect this

Improper Handling of Extra Parameters

The product does not handle or incorrectly handles when the number of parameters, fields, or arguments with the same name exceeds the expected amount.

When applications receive duplicate parameters, they may process them inconsistently, leading to security bypasses or logic errors. Different frameworks may select the first, last, or combine duplicate parameters.

Prevalence
Medium
2 languages covered
Impact
Medium
Review recommended
Prevention
Documented
2 fix examples
2 Prevention
2 Prevention

How to fix this vulnerability

Prevention strategies for Improper Handling of Extra Parameters based on 2 Shoulder detection rules.

🟨 JavaScript View all JavaScript details →
HTTP Parameter Pollution Prevention in Express.js LOW

Add hpp middleware to normalize duplicate query parameters

+3 -0 javascript 
+ const hpp = require('hpp');
+ app.use(hpp());
+ 
  app.get('/search', (req, res) => {
    const role = req.query.role;
    if (role === 'admin') {
      res.json({ admin: true });
    }
  });
🐍 Python View all Python details →
HTTP Parameter Pollution MEDIUM

Explicitly check for and reject duplicate HTTP parameters

+8 -7 python 
- from flask import request
- 
- @app.route('/api/action')
- def action():
-     user_id = request.args.get('id')
-     # Attacker sends: ?id=1&id=admin
-     # Only gets first value, but backend proxy may use last
+ from flask import request, jsonify
+ 
+ @app.route('/api/action')
+ def action():
+     all_ids = request.args.getlist('id')
+     if len(all_ids) != 1:
+         return jsonify({'error': 'Duplicate parameters not allowed'}), 400
+     user_id = all_ids[0]
      perform_action(user_id)
3 Detection
3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Improper Handling of Extra Parameters patterns. 2 rules.

terminal
# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=235

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (2)

4 Warning Signs
4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Improper Handling of Extra Parameters vulnerabilities. Look for these during code reviews and security audits.

🟡
handling of duplicate HTTP parameters without proper validation python-parameter-pollution
🔵
Request parameters used without HPP protection. Express converts duplicate query/body params to arrays, which can bypass javascript-express-hpp-prevention
🔵
missing HTTP Parameter Pollution (HPP) protection in Express javascript-express-hpp-prevention
🔍

Scan your codebase for Improper Handling of Extra Parameters

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules