Re: [WEB SECURITY] Re: HTTP Parameter Pollution

[Stefano Di Paola <stefano.dipaola () wisec it>]

Ryan, 
thanks for letting us know this reference since we missed it completely.

We have tried several times to find articles/papers like this one,
looking on Google for previous researches about this topic. 
We will definitely put it in the bibliography reference of our white
paper. 

Having said that, the article just passes it by, and touches from a
quite long distance the concepts we have deeply discussed in our
presentation/research. 
No real life threats have been shown (AFAIK) and it covers server side
(gross filters bypass) issues only.

Anyway, thanks a lot! It's always a good chance to share knowledge and
folk memories :)

Cheers,
Stefano & Luca

PS. Just for fun, we may consider it as an archaeological finding..
something like the Homo Sapiens Neanderthalensis of HPP (joking :P).
http://en.wikipedia.org/wiki/Neanderthal


Il giorno mar, 19/05/2009 alle 10.04 -0400, Ryan Barnett ha scritto:
> On Tue, May 19, 2009 at 7:52 AM, Stefano Di Paola
> <stefano.dipaola () wisec it> wrote:
>
>         
>         Hi guys,
>         
>         during OWASP AppSec Poland 2009 we presented a newly
>         discovered input
>         validation vulnerability called "HTTP Parameter
>         Pollution" (HPP).
>         
>         Basically, it can be defined as the feasibility to override or
>         add HTTP
>         GET/POST parameters by injecting query string delimiters.
>         
>         In the last months, we have discovered several real world
>         flaws in which
>         HPP can be used to modify the application behaviors, access
>         uncontrollable variables and even bypass input validation
>         checkpoints
>         and WAFs rules.
>         
>         Exploiting such HPP vulnerabilities, we have found several
>         problems in
>         some Google Search Appliance front-end scripts, Ask.com,
>         Yahoo! Mail
>         Classic and many other products.
>         
>         If you are interested, you are kindly invited to have a look
>         at:
>         http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>         
>
>
>
>
> FYI - Sverre Huseby has a write called Incompatible Parameter Parsing
> from 2005 which describes some of the same issues as HPP
> - http://shh.thathost.com/text/incompatible-parameter-parsing.txt
>
>
> -- 
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com/
>
>
>  
>         
>         We're going to release additional materials in the next
>         future,
>         including a video of the Yahoo! attack vector.
>         
>         Stay tuned on http://blog.mindedsecurity.com and
>         http://blog.nibblesec.org
>         
>         Cheers,
>         Stefano Di Paola and Luca Carettoni
>         
>         --
>         Stefano Di Paola
>         Chief Technology Officer, LA/ISO27001
>         Minded Security Research Labs Director
>         
>         Minded Security - Application Security Consulting
>         
>         Official Site: www.mindedsecurity.com
>         
>         Personal Blog: www.wisec.it/sectou.php
>         ..................
>         
>         
>         
>         
>         
-- 
Stefano Di Paola
Chief Technology Officer, LA/ISO27001
Minded Security Research Labs Director

Minded Security - Application Security Consulting

Official Site: www.mindedsecurity.com

Personal Blog: www.wisec.it/sectou.php
..................