Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Follow-up on HTTP Parameter Pollution

From: embyte <embyte () madlab it>
Date: Wed, 8 Dec 2010 20:42:37 +0100
Hi all,

I have just blogged about a research we recently did on HTTP Parameter
Pollution [1]. I would like to share it with you.

HPP attacks consist of injecting encoded query string delimiters into
other existing parameters. If a web application does not properly
sanitize the user input, a malicious user can compromise the logic of
the application to perform either client-side or server-side attacks.
One consequence of HPP attacks is that the attacker can potentially
override existing hard-coded HTTP parameters to modify the behavior of
an application, bypass input validation checkpoints, and access and
possibly exploit variables that may be out of direct reach.

To the best of our knowledge, no tools have been presented to date for
the detection of this sort of vulnerabilities and no studies have been
published on the topic. The most effective means of discovering HPP
vulnerabilities in websites is via manual inspection. At the same time,
it is unclear how common and significant a threat HPP vulnerabilities
are in existing web applications.

We, therefore,  decided to dig deeper into the detection problem and
create the first automated system for the detection of HPP
vulnerabilities in web applications. We then tested more than 5,000
popular web sites (taken from Alexa) and we discovered that 1499 of
them contained at least one vulnerable page.  That is, the tool was
able to automatically inject an encoded parameter inside one of the
existing parameters, and was then able to verify that its URL-decoded
version was included in one of the URLs (links or forms) of the
resulting page.

The problems we identified affected many important and well-known
websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..).
After we notified them, we had the problems acknowledged and some
patched.

We are now came online with a free service to test web applications
(called PAPAS) and the PDF of the paper. -link is below- 

Cheers.

[1]
http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/

-- 
bash$ :(){ :|:&};: Computer Science belongs to all Humanity! 
Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc
Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)
Previous By Date Next
Previous By Thread Next

Current thread: