WebApp Sec mailing list archives
Re: [WEB SECURITY] Re: HTTP Parameter Pollution
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Tue, 19 May 2009 18:26:00 +0200
Ryan, thanks for letting us know this reference since we missed it completely. We have tried several times to find articles/papers like this one, looking on Google for previous researches about this topic. We will definitely put it in the bibliography reference of our white paper. Having said that, the article just passes it by, and touches from a quite long distance the concepts we have deeply discussed in our presentation/research. No real life threats have been shown (AFAIK) and it covers server side (gross filters bypass) issues only. Anyway, thanks a lot! It's always a good chance to share knowledge and folk memories :) Cheers, Stefano & Luca PS. Just for fun, we may consider it as an archaeological finding.. something like the Homo Sapiens Neanderthalensis of HPP (joking :P). http://en.wikipedia.org/wiki/Neanderthal Il giorno mar, 19/05/2009 alle 10.04 -0400, Ryan Barnett ha scritto:
On Tue, May 19, 2009 at 7:52 AM, Stefano Di Paola <stefano.dipaola () wisec it> wrote: Hi guys, during OWASP AppSec Poland 2009 we presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. In the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and many other products. If you are interested, you are kindly invited to have a look at: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf FYI - Sverre Huseby has a write called Incompatible Parameter Parsing from 2005 which describes some of the same issues as HPP - http://shh.thathost.com/text/incompatible-parameter-parsing.txt -- Ryan C. Barnett Web Application Security Consortium (WASC) Member Tactical Web Application Security http://tacticalwebappsec.blogspot.com/ We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org Cheers, Stefano Di Paola and Luca Carettoni -- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php ..................
-- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php ..................
Current thread:
- HTTP Parameter Pollution Stefano Di Paola (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 22)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- <Possible follow-ups>
- Re: FW: HTTP Parameter Pollution Luca.carettoni (May 22)