WebApp Sec mailing list archives
Follow-up on HTTP Parameter Pollution
From: embyte <embyte () madlab it>
Date: Wed, 8 Dec 2010 19:29:32 +0100
Hi guys, I have just blogged about a research we recently did on HTTP Parameter Pollution [1]. We designed and developed a new and unique system to detect HPP flaws in Web Applications in an automated fashion. We then tested more than 5,000 popular web sites (taken from Alexa) and we discovered that 1499 of them contained at least one vulnerable page. That is, the tool was able to automatically inject an encoded parameter inside one of the existing parameters, and was then able to verify that its URL-decoded version was included in one of the URLs (links or forms) of the resulting page. The problems we identified affected many important and well-known websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..). After we notified them, we had the problems acknowledged and some patched. We are now came online with a free service to test web applications (called PAPAS) and the PDF of the paper. -link is below- Cheers. [1] http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/ -- bash$ :(){ :|:&};: Computer Science belongs to all Humanity! Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA) This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Follow-up on HTTP Parameter Pollution embyte (Dec 09)