WebApp Sec mailing list archives
Re: FW: HTTP Parameter Pollution
From: "Luca.carettoni" <luca.carettoni () ikkisoft com>
Date: Thu, 21 May 2009 14:20:50 +0200
Thanks! If you have an interesting finding and you would like to share it with us, we may consider including it in the whitepaper. This is true for Marco as well as for all of you. Several HPP-like flaws are probably around and awareness is the key to resolve the issue. Cheers, Luca & Stefano -----Original message----- From: Marco Mella marco.mella () gmail com Date: Thu, 21 May 2009 09:39:49 +0200 To: stefano.dipaola () wisec it, luca.carettoni () ikkisoft com Subject: Re: FW: HTTP Parameter Pollution
Hi Stefano, Luca.Very good job. I think that HPP open new very interesting perspective for web application security on both side of medal, attack and defense. I have tried some web site and I have found very interesting side-effect of HPP. Cheers, Marco Hi guys,during OWASP AppSec Poland 2009 we presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. In the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and many other products. If you are interested, you are kindly invited to have a look at: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org Cheers, Stefano Di Paola and Luca Carettoni -- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php ..................
Current thread:
- Re: HTTP Parameter Pollution, (continued)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)