WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP Parameter Pollution

From: Ivan Ristic <ivan.ristic () gmail com>
Date: Wed, 20 May 2009 17:49:10 +0200
On Wed, May 20, 2009 at 5:30 PM, Stefano Di Paola
<stefano.dipaola () wisec it> wrote:


...

Having said that, we think there's something you're missing from the
application point of view.

The fact that the web server behavior does not affects HPP, would be
correct only, and only if, there is no other hardcoded parameter.

But think about:

URL #1
http://backend.server/doSomething?action=view&key=$param

and

URL #2
http://backend.server/doSomething?key=$param&action=view


Given that the injection is the issue, and that the attack is:

value%26action=delete%23

which is the safe url and which the vulnerable one?


Both are vulnerable because both can be manipulated. Only one is
exploitable. The difference here is that I don't care about
exploitability and you do. My view is that if I don't know how to
exploit a vulnerability that does not mean that there isn't someone
else who can :)

That's why, in my view, the additional technique you need for
exploitability does not matter.

-- 
Ivan Ristic
Previous By Date Next
Previous By Thread Next

Current thread: