WebApp Sec mailing list archives
Re: HTTP Parameter Pollution
From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 20 May 2009 17:49:10 +0200
On Wed, May 20, 2009 at 5:30 PM, Stefano Di Paola <stefano.dipaola () wisec it> wrote:
... Having said that, we think there's something you're missing from the application point of view. The fact that the web server behavior does not affects HPP, would be correct only, and only if, there is no other hardcoded parameter. But think about: URL #1 http://backend.server/doSomething?action=view&key=$param and URL #2 http://backend.server/doSomething?key=$param&action=view Given that the injection is the issue, and that the attack is: value%26action=delete%23 which is the safe url and which the vulnerable one?
Both are vulnerable because both can be manipulated. Only one is exploitable. The difference here is that I don't care about exploitability and you do. My view is that if I don't know how to exploit a vulnerability that does not mean that there isn't someone else who can :) That's why, in my view, the additional technique you need for exploitability does not matter. -- Ivan Ristic
Current thread:
- HTTP Parameter Pollution Stefano Di Paola (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 22)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- <Possible follow-ups>
- Re: FW: HTTP Parameter Pollution Luca.carettoni (May 22)