Follow-up on HTTP Parameter Pollution

[embyte <embyte () madlab it>]

Hi guys,
I have just blogged about a research we recently did on HTTP Parameter
Pollution [1].

We designed and developed a new and unique system to detect HPP flaws
in Web Applications in an automated fashion. We then tested more than
5,000 popular web sites (taken from Alexa) and we discovered that 1499
of them contained at least one vulnerable page. 

That is, the tool was able to automatically inject an encoded parameter
inside one of the existing parameters, and was then able to verify that
its URL-decoded version was included in one of the URLs (links or
forms) of the resulting page.

The problems we identified affected many important and well-known
websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..).
After we notified them, we had the problems acknowledged and some
patched.

We are now came online with a free service to test web applications
(called PAPAS) and the PDF of the paper. -link is below- 

Cheers.

[1]
http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/

-- 
bash$ :(){ :|:&};: Computer Science belongs to all Humanity! 
Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc
Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------