Re: HTTP Parameter Pollution

[Ivan Ristic <ivan.ristic () gmail com>]

Hi Stefano,

Your presentation discusses two separate issues:

1. The differences in how various components handle multiple request
parameters with the same name when an application expects only one
(parameter).
2. Attacks against query string construction flaws in applications.

Just from reading the slides I couldn't determine which is the main
topic, and which is the one you named HPP?


On Tue, May 19, 2009 at 1:52 PM, Stefano Di Paola
<stefano.dipaola () wisec it> wrote:
> Hi guys,
>
> during OWASP AppSec Poland 2009 we presented a newly discovered input
> validation vulnerability called "HTTP Parameter Pollution" (HPP).
>
> Basically, it can be defined as the feasibility to override or add HTTP
> GET/POST parameters by injecting query string delimiters.
>
> In the last months, we have discovered several real world flaws in which
> HPP can be used to modify the application behaviors, access
> uncontrollable variables and even bypass input validation checkpoints
> and WAFs rules.
>
> Exploiting such HPP vulnerabilities, we have found several problems in
> some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> Classic and many other products.
>
> If you are interested, you are kindly invited to have a look at:
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
> We're going to release additional materials in the next future,
> including a video of the Yahoo! attack vector.
>
> Stay tuned on http://blog.mindedsecurity.com and
> http://blog.nibblesec.org
>
> Cheers,
> Stefano Di Paola and Luca Carettoni
>
> --
> Stefano Di Paola
> Chief Technology Officer, LA/ISO27001
> Minded Security Research Labs Director
>
> Minded Security - Application Security Consulting
>
> Official Site: www.mindedsecurity.com
>
> Personal Blog: www.wisec.it/sectou.php
> ..................



-- 
Ivan Ristic