ZAP – HTTP Parameter Override

Details
Alert ID	10026
Alert Type	Passive
Status	beta
Risk	Medium
CWE	20
WASC	20
Technologies Targeted	All
Tags	CWE-20 OWASP_2017_A06 OWASP_2021_A04
More Info	Scan Rule Help

Summary

Unspecified form action: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable.

Solution

All forms must specify the action URL.

Other Info

References

https://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf

Code

org/zaproxy/zap/extension/pscanrulesBeta/ServletParameterPollutionScanRule.java