Weakness reference
CWE-235

Improper Handling of Extra Parameters

This weakness occurs when software accepts more parameters, fields, or arguments than it expects or validates, potentially allowing attackers to inject…

01Summary

This weakness occurs when software accepts more parameters, fields, or arguments than it expects or validates, potentially allowing attackers to inject unintended data or bypass security checks. The application may silently ignore extra parameters, process them in unexpected ways, or use them to override legitimate values — creating a gap between what the developer intended and what the code actually does.

02How It Happens

Most applications are designed to accept a specific set of input parameters. However, many frameworks and languages allow extra parameters to be passed without explicit rejection. If the application doesn't validate the *number* of parameters or doesn't explicitly allowlist which parameters are acceptable, an attacker can supply additional fields that the developer never anticipated. These extra parameters might be processed by underlying libraries, assigned to object properties via mass-assignment, or used to influence conditional logic in ways the original code didn't account for. The vulnerability is especially common in web applications where HTTP requests can include arbitrary query strings, POST fields, or JSON keys.

03Real-World Impact

An attacker exploiting this weakness can bypass authentication checks, escalate privileges, modify database records they shouldn't access, or inject malicious data into the application state. For example, an extra parameter might set an is_admin flag, override a user ID, or inject a value into a SQL query that the application thought was safely constrained. In some cases, extra parameters can be used to pollute HTTP caches or confuse security filters that only check for known parameter names.

04Vulnerable & Fixed Patterns

Vulnerable pattern
from flask import Flask, request

app = Flask(__name__)

@app.route('/update_profile', methods=['POST'])
def update_profile():
    user_id = request.form.get('user_id')
    name = request.form.get('name')
    email = request.form.get('email')
    
    # Application only expects 3 fields, but doesn't validate
    # An attacker can add extra fields like 'is_admin=true' or 'role=moderator'
    user_data = request.form.to_dict()
    db.update_user(user_id, user_data)
    
    return "Profile updated"

Why it's vulnerable:
The code converts all form parameters into a dictionary and passes them directly to the database update function. An attacker can include extra fields (e.g., is_admin, role, balance) that the developer didn't intend to be modifiable, and these will be processed without validation.

Fixed pattern
from flask import Flask, request

app = Flask(__name__)

@app.route('/update_profile', methods=['POST'])
def update_profile():
    user_id = request.form.get('user_id')
    
    # Explicitly allowlist only the parameters we expect
    allowed_fields = {'name', 'email'}
    user_data = {
        key: request.form.get(key)
        for key in allowed_fields
        if key in request.form
    }
    
    db.update_user(user_id, user_data)
    return "Profile updated"
Vulnerable pattern
<?php
// Expecting: username, password, email
// But accepting anything in $_POST

$user_id = $_POST['user_id'];
$updates = array();

foreach ($_POST as $key => $value) {
    // Blindly assigns all POST parameters
    $updates[$key] = sanitize($value);
}

$wpdb->update('users', $updates, array('ID' => $user_id));
?>

Why it's vulnerable:
The loop processes every key in $_POST without checking whether it's an intended field. An attacker can add user_role=administrator or user_status=active and have those fields updated in the database.

Fixed pattern
<?php
$user_id = $_POST['user_id'];
$allowed_fields = array('username', 'email', 'display_name');
$updates = array();

foreach ($allowed_fields as $field) {
    if (isset($_POST[$field])) {
        $updates[$field] = sanitize($_POST[$field]);
    }
}

$wpdb->update('users', $updates, array('ID' => $user_id));
?>

05Prevention Checklist

Explicitly allowlist parameters:
Define exactly which parameters your endpoint or function accepts, and reject or ignore anything else.
Validate parameter count:
If your application has a fixed expected number of parameters, verify that the request doesn't exceed it.
Avoid mass-assignment:
Don't automatically map all request fields to object properties or database columns; assign each field individually.
Use schema validation:
For JSON APIs, use a schema validator (e.g., JSON Schema, Pydantic) that rejects extra fields by default.
Test with extra parameters:
Include test cases that send unexpected parameters and verify they are ignored or rejected, not processed.
Document expected inputs:
Maintain clear API documentation listing all valid parameters so developers don't accidentally process extras.

06Signs You May Already Be Affected

Look for unexpected fields in your database records that you didn't explicitly set through your application UI — for example, admin flags or role fields that shouldn't have been modified. Review access logs for requests with unusual parameter names or counts that don't match your documented API. Check for privilege escalation or data modification incidents that occurred without corresponding legitimate user actions.