WebApp Sec mailing list archives
Re: HTTP Parameter Pollution
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 20 May 2009 16:07:01 +0200
I don't think the two issues are "married", as you imply. For example, let's assume that my application uses a backend subrequest whose query string is constructed out of the value of the paramter "param": http://backend.server/doSomething?key=$param and that you inject "value&injectedKey=injectedValue" (URL-encoded) into "param". The resulting backend request would thus be http://backend.server/doSomething?key=value&injectedKey=injectedValue So you have managed to pull off an attack using just query string injection. Depending on the backend service, that alone may be enough for exploitation. Thus, I think HPP is the injection part alone. I think your presentation would benefit from moving the discussion of parameter processing inconsistencies into the second half, positioning it as an additional technique that is needed to maximise the effect of the injection vulnerability. On Wed, May 20, 2009 at 2:13 PM, Stefano Di Paola <stefano.dipaola () wisec it> wrote:
Hi Ivan, HPP is an input validation vulnerability and, consequentially a possible attack, triggered by injection flaws in the context of generating QueryStrings/POST payloads. If you have only an injection (server or client side) in the context of query string construction, it doesn't mean you can actually override hardcoded parameters' values because of web server behaviour. On the other hand, if you know the web server/application behaviour and you cannot inject any parameter then you are obviously safe. So you need both hypothesis in order to exploit the issue. The main topic is that after identifying the application behaviour in managing multiple occurrences and considering which are the layers data passes through, an attacker could exploit the parameter injection vulnerability. And this is HPP. I hope we answered your question. However within the whitepaper, we are going to explain everything in detail and likely, we will be able to show the essence of this flaw. Cheers, Stefano & Luca Il giorno mer, 20/05/2009 alle 10.06 +0200, Ivan Ristic ha scritto:Hi Stefano, Your presentation discusses two separate issues: 1. The differences in how various components handle multiple request parameters with the same name when an application expects only one (parameter). 2. Attacks against query string construction flaws in applications. Just from reading the slides I couldn't determine which is the main topic, and which is the one you named HPP? On Tue, May 19, 2009 at 1:52 PM, Stefano Di Paola <stefano.dipaola () wisec it> wrote:Hi guys, during OWASP AppSec Poland 2009 we presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. In the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and many other products. If you are interested, you are kindly invited to have a look at: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org Cheers, Stefano Di Paola and Luca Carettoni -- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php ..................-- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it ..................
-- Ivan Ristic
Current thread:
- HTTP Parameter Pollution Stefano Di Paola (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 22)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- <Possible follow-ups>
- Re: FW: HTTP Parameter Pollution Luca.carettoni (May 22)