Re: [WEB SECURITY] HTTP Parameter Pollution

[bugtraq () cgisecurity net]

A few comments/questions,

Slide 24: I had a related post on attacking permalinks that touches on this @ 
http://www.cgisecurity.com/2006/11/attacking-perma.html

Slide 28: page.php would only be 'affected' if it failed to properly authorize the user before performing an edit 
function and 
really this is a failure to have CSRF protection. This isn't any different than just directly sending the parameter to 
page.php. 
This is technically a subclass/use of content spoofing. 

Slide 33: It appears you've found JS that utilizes this parameter, and if you specified it you could specify your own
image but not necessarly get XSS. This could be classified as content spoofing. 

Slide 37: The bug here is a failure to validate CSRF tokens before executing the commands. In the url I don't see
a CSRF token, if I am misunderstanding please clarify.

Keep up the good work. 

Regards,
- Robert 
http://www.cgisecurity.com/
http://www.webappsec.org/


> Hi guys,
>
> during OWASP AppSec Poland 2009 we presented a newly discovered input
> validation vulnerability called "HTTP Parameter Pollution" (HPP).
>
> Basically, it can be defined as the feasibility to override or add HTTP
> GET/POST parameters by injecting query string delimiters.
>
> In the last months, we have discovered several real world flaws in which
> HPP can be used to modify the application behaviors, access
> uncontrollable variables and even bypass input validation checkpoints
> and WAFs rules. 
>
> Exploiting such HPP vulnerabilities, we have found several problems in
> some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> Classic and many other products.
>
> If you are interested, you are kindly invited to have a look at:  
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
> We're going to release additional materials in the next future,
> including a video of the Yahoo! attack vector.
>
> Stay tuned on http://blog.mindedsecurity.com and
> http://blog.nibblesec.org
>
> Cheers,
> Stefano Di Paola and Luca Carettoni
>
> -- 
> Stefano Di Paola
> Chief Technology Officer, LA/ISO27001
> Minded Security Research Labs Director
>
> Minded Security - Application Security Consulting
>
> Official Site: www.mindedsecurity.com
>
> Personal Blog: www.wisec.it/sectou.php
> ..................
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA