WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [WEB SECURITY] HTTP Parameter Pollution

From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Wed, 20 May 2009 07:23:43 +0200
Hi Mostafa,
yes, we have thought about the info leakage as well. It is definitively
a "side-effect" of this kind of attack. However, we had to stress the
concepts of HPP (because of limited time during the talk) and hope for
the community members like you to add useful informations and research
about HPP.

If you have additional stuff, we may consider to include it in our
whitepaper.

Cheers,
Stefano & Luca

Il giorno mar, 19/05/2009 alle 19.59 +0300, Mostafa Siraj ha scritto:

Hello Stefano,


This is a very interesting paper, I tested several websites and found
some of them behaving unusual, I guess you need to add more
harmful  attack vector to get more recognition for your white paper.


I'm sharing here with another attack vector at a very popular Arabic
search engine called Onkosh (check the image below)


I guess another useful use from this attack is information leakage
about the web server, since -as listed in your presentation- different
web servers react differently to this attack, we can use that to know
which web server we're dealing with and possibly form another attack
depending on that.


anyway this is really a great work



HPP_example.png


Thanks


Mostafa Siraj
Application Security Expert
ITWorx Egypt
www.ITWorx.com






On Tue, May 19, 2009 at 2:52 PM, Stefano Di Paola
<stefano.dipaola () wisec it> wrote:
        Hi guys,
        
        during OWASP AppSec Poland 2009 we presented a newly
        discovered input
        validation vulnerability called "HTTP Parameter
        Pollution" (HPP).
        
        Basically, it can be defined as the feasibility to override or
        add HTTP
        GET/POST parameters by injecting query string delimiters.
        
        In the last months, we have discovered several real world
        flaws in which
        HPP can be used to modify the application behaviors, access
        uncontrollable variables and even bypass input validation
        checkpoints
        and WAFs rules.
        
        Exploiting such HPP vulnerabilities, we have found several
        problems in
        some Google Search Appliance front-end scripts, Ask.com,
        Yahoo! Mail
        Classic and many other products.
        
        If you are interested, you are kindly invited to have a look
        at:
        http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
        
        We're going to release additional materials in the next
        future,
        including a video of the Yahoo! attack vector.
        
        Stay tuned on http://blog.mindedsecurity.com and
        http://blog.nibblesec.org
        
        Cheers,
        Stefano Di Paola and Luca Carettoni
        
        --
        Stefano Di Paola
        Chief Technology Officer, LA/ISO27001
        Minded Security Research Labs Director
        
        Minded Security - Application Security Consulting
        
        Official Site: www.mindedsecurity.com
        
        Personal Blog: www.wisec.it/sectou.php
        ..................
        
        
        
        ----------------------------------------------------------------------------
        Join us on IRC: irc.freenode.net #webappsec
        
        Have a question? Search The Web Security Mailing List
        Archives:
        http://www.webappsec.org/lists/websecurity/archive/
        
        Subscribe via RSS:
        http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
        
        Join WASC on LinkedIn
        http://www.linkedin.com/e/gis/83336/4B20E4374DBA
        



-- 
"Our deepest fear is not that we are inadequate. Our deepest fear is
that we are powerful beyond measure. It is our light, not our
darkness, that most frightens us. We ask ourselves, who am I to be
brilliant, gorgeous, talented, and fabulous?Actually, who are you not
to be? You are a child of God. Your playing small doesn't serve the
world. There's nothing enlightened about shrinking so that other
people won't feel insecure around you. We are all meant to shine, as
children do. We are born to make manifest the glory of God that is
within us. It's not just in some of us, it's in everyone. And as we
let our own light shine, we unconsciously give other people permission
to do the same. As we are liberated from our own fear, our presence
automatically liberates others." --Nelson Mandela--


-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................
Previous By Date Next
Previous By Thread Next

Current thread: