Re: [WEB SECURITY] Re: HTTP Parameter Pollution

[Ivan Ristic <ivan.ristic () gmail com>]

When it comes to the exploitation of inconsistencies in parameter
parsing implementations in the context of WAFs, I prefer to use the
name Impedance Mismatch. It's a problem much wider in scope than
parameters because it affects virtually every part of the HTTP spec
ecosystem (the HTTP spec along with the related specifications). I
discovered it while working on ModSecurity, but I am sure it was known
well before because it applies to IDS as well.

I tried to talk about the problem over the years. Here are some links:

http://blog.modsecurity.org/2005/03/external-web-ap.html (the post
that Sverre mentions at the end of his writeup)
http://blog.modsecurity.org/2005/06/more-on-impedan.html
http://blog.modsecurity.org/2007/02/php-peculiariti.html
http://blog.modsecurity.org/2007/02/dealing-with-im.html

The problems with protecting PHP applications are particularly
interesting (third link). There are many other impedance mismatch
problems that are not publicly discussed (in my case because of the
lack of time -- I don't know what excuses others might have), but I am
pretty sure that they exploited in the wild. I am guessing that every
WAF vendor with a half-decent product is aware of (at least some of)
the issues.


On Tue, May 19, 2009 at 4:04 PM, Ryan Barnett <rcbarnett () gmail com> wrote:
> On Tue, May 19, 2009 at 7:52 AM, Stefano Di Paola <stefano.dipaola () wisec it>
> wrote:
> > Hi guys,
> >
> > during OWASP AppSec Poland 2009 we presented a newly discovered input
> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
> >
> > Basically, it can be defined as the feasibility to override or add HTTP
> > GET/POST parameters by injecting query string delimiters.
> >
> > In the last months, we have discovered several real world flaws in which
> > HPP can be used to modify the application behaviors, access
> > uncontrollable variables and even bypass input validation checkpoints
> > and WAFs rules.
> >
> > Exploiting such HPP vulnerabilities, we have found several problems in
> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> > Classic and many other products.
> >
> > If you are interested, you are kindly invited to have a look at:
> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
>
> FYI - Sverre Huseby has a write called Incompatible Parameter Parsing from
> 2005 which describes some of the same issues as HPP
> - http://shh.thathost.com/text/incompatible-parameter-parsing.txt
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com/
>
> > We're going to release additional materials in the next future,
> > including a video of the Yahoo! attack vector.
> >
> > Stay tuned on http://blog.mindedsecurity.com and
> > http://blog.nibblesec.org
> >
> > Cheers,
> > Stefano Di Paola and Luca Carettoni
> >
> > --
> > Stefano Di Paola
> > Chief Technology Officer, LA/ISO27001
> > Minded Security Research Labs Director
> >
> > Minded Security - Application Security Consulting
> >
> > Official Site: www.mindedsecurity.com
> >
> > Personal Blog: www.wisec.it/sectou.php
> > ..................



-- 
Ivan Ristic