WebApp Sec mailing list archives
Re: HTTP Parameter Pollution
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Tue, 19 May 2009 18:35:44 +0200
Stephen, thanks for your comments. We appreciate it very much. Speaking about the server side exploitation of HPP, we have defined HPP as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. Considering: 1). A front end web server (A) which directly communicates with the client and 2). A back end web server (B) which is accessed by (A) via a GET or POST request, and some of the request values are controlled by an attacker. We may imagine the following example, as reported in the slides: // Code on (A): void private executeBackendRequest(HTTPRequest request){ String amount=request.getParameter("amount"); String beneficiary=request.getParameter("recipient"); // This connects to (B) HttpRequest("http://backendServer.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary); } Here, there is a component (A) acting as a dispatcher for (B). In addition, there's also an "action=transfer" key value pair which is hardcoded. In this case, the attacker may inject something like recipient=Mat%26action%3dwithdraw On (A), it will be concatenated resulting in a new payload: action=transfer&amount=1000&recipient=Mat&action=withdraw which will be sent to (B) by (A). As you can notice the parameter action has been injected and, in case (B) gets the last occurrence only (see server enumeration) then, the action will be "withdraw" instead of "transfer". In this case, we think that the given HPP definition properly fits since it adds or overrides an HTTP parameter. Let us know if we correctly understood your question. Cheers, Stefano Il giorno mar, 19/05/2009 alle 15.30 +0200, Stephen de Vries ha scritto:
Guys, A nice piece of research! A comment on the slides "HPP Server Side Attacks 1/2 and 2/2", I don't think that that case fits into the definition of HPP. It looks more like standard parameter manipulation because it doesn't depend on the request having multiple parameters. StephenOn May 19, 2009, at 1:52 PM, Stefano Di Paola wrote:Hi guys, during OWASP AppSec Poland 2009 we presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. In the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and many other products. If you are interested, you are kindly invited to have a look at: http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org Cheers, Stefano Di Paola and Luca Carettoni -- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php ..................-- Stephen de Vries Corsaire Ltd E-mail: stephen () corsaire com Tel: +44 1483 746714 Fax: +44 1483 746701 Web: http://www.corsaire.com
-- Stefano Di Paola Chief Technology Officer, LA/ISO27001 Minded Security Research Labs Director Minded Security - Application Security Consulting Official Site: www.mindedsecurity.com Personal Blog: www.wisec.it/sectou.php ..................
Current thread:
- HTTP Parameter Pollution Stefano Di Paola (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 22)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- <Possible follow-ups>
- Re: FW: HTTP Parameter Pollution Luca.carettoni (May 22)