RE: [WEB SECURITY] Re: HTTP Parameter Pollution

[Stefano Di Paola <stefano.dipaola () wisec it>]

Martin, 

"...
1. Web servers/frameworks/applications can do whatever they want with
multiple occurrences of the same parameter. No standard is actually
defined.
...
5. It has to be considered a behaviour not an issue. 
..."

we do not claim that it's wrong to expect more than one parameter. 
As you said, this is perfectly acceptable.
The problem is about which occurrence should be considered in a way that
all behaviours are consistent. 
A standard may mitigate this aspect of the issue.

Resume: we totally agree with you.  :)

Cheers,
Stefano & Luca

Il giorno mer, 20/05/2009 alle 19.03 +0100, Martin O'Neal ha scritto:
> > 2. It would be better if an RFC or similar states how to treat them.
>
> I would disagree with this.  This isn't a standard thing really; it is
> perfectly valid for an application to expect zero/one/infinity
> parameters; the issue only arises when the application does not handle a
> mismatch between expectation and actuality...
>
> Martin...
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Owasp Italy R&D Director

Web: www.wisec.it
..................