WebApp Sec mailing list archives
Re: [WEB SECURITY] HTTP Parameter Pollution
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Wed, 20 May 2009 07:23:43 +0200
Hi Mostafa, yes, we have thought about the info leakage as well. It is definitively a "side-effect" of this kind of attack. However, we had to stress the concepts of HPP (because of limited time during the talk) and hope for the community members like you to add useful informations and research about HPP. If you have additional stuff, we may consider to include it in our whitepaper. Cheers, Stefano & Luca Il giorno mar, 19/05/2009 alle 19.59 +0300, Mostafa Siraj ha scritto:
Hello Stefano, This is a very interesting paper, I tested several websites and found some of them behaving unusual, I guess you need to add more harmful attack vector to get more recognition for your white paper. I'm sharing here with another attack vector at a very popular Arabic search engine called Onkosh (check the image below) I guess another useful use from this attack is information leakage about the web server, since -as listed in your presentation- different web servers react differently to this attack, we can use that to know which web server we're dealing with and possibly form another attack depending on that. anyway this is really a great work HPP_example.png Thanks Mostafa Siraj Application Security Expert ITWorx Egypt www.ITWorx.com On Tue, May 19, 2009 at 2:52 PM, Stefano Di Paola <stefano.dipaola () wisec it> wrote: Hi guys, during OWASP AppSec Poland 2009 we presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. In the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and many other products. If you are interested, you are kindly invited to have a look at: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org Cheers, Stefano Di Paola and Luca Carettoni -- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php .................. ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA -- "Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us. We ask ourselves, who am I to be brilliant, gorgeous, talented, and fabulous?Actually, who are you not to be? You are a child of God. Your playing small doesn't serve the world. There's nothing enlightened about shrinking so that other people won't feel insecure around you. We are all meant to shine, as children do. We are born to make manifest the glory of God that is within us. It's not just in some of us, it's in everyone. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others." --Nelson Mandela--
-- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it ..................
Current thread:
- HTTP Parameter Pollution Stefano Di Paola (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 22)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- <Possible follow-ups>
- Re: FW: HTTP Parameter Pollution Luca.carettoni (May 22)