How is following HTTP url string parameter encoded and decoded? &=& vs &&

Question

I was going through some website and stumbled upon following bug in it, while playing with different combinations for url parameters.

When I append ?&=& to any valid url on this website I get following error: /p is part of url (java.lang.ArrayIndexOutOfBoundsException).

Chrome parses the string as below:

But this exception is not raised when I append ?&& instead of ?&=&. Chrome parses both string into same thing.

• How is "?&=&" actually parsed and how is it different from "?&&"? As chrome parses them into same thing why does it generate an exception only in former case?
• What kind of bug does this website might have?
• Can such bug be used to do some kind of attack on this website?

Note:

• I do not own this website so I am just curious to know what might have caused this bug.
• Issue is seen consistently on both chrome and firefox.
• builtwith.com says this website uses ngix server.
• Let me know if this is offtopic here. Didnt find any such info.

Edit:

I understand what this exception means. I just want to know if these 2 kind of parameter are parsed differently. What are the possible cause of such a bug.

Answer 1

A java.lang.ArrayOutOfBoundsException caused by the Java backend of the page.

This exception occurs when a java application is trying to access an element in a Java Array that does not exist.

How and why exactly this occurs or how the url parameters are processed is impossible to say without having access to the source code of the backend.

It is not caused by the frontend code or by your browser.