WebApp Sec mailing list archives
RE: [WEB SECURITY] Re: HTTP Parameter Pollution
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Wed, 20 May 2009 21:58:36 +0200
Martin, "... 1. Web servers/frameworks/applications can do whatever they want with multiple occurrences of the same parameter. No standard is actually defined. ... 5. It has to be considered a behaviour not an issue. ..." we do not claim that it's wrong to expect more than one parameter. As you said, this is perfectly acceptable. The problem is about which occurrence should be considered in a way that all behaviours are consistent. A standard may mitigate this aspect of the issue. Resume: we totally agree with you. :) Cheers, Stefano & Luca Il giorno mer, 20/05/2009 alle 19.03 +0100, Martin O'Neal ha scritto:
2. It would be better if an RFC or similar states how to treat them.I would disagree with this. This isn't a standard thing really; it is perfectly valid for an application to expect zero/one/infinity parameters; the issue only arises when the application does not handle a mismatch between expectation and actuality... Martin... ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it ..................
Current thread:
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 22)
- <Possible follow-ups>
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 22)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 22)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Martin O'Neal (May 25)
- RE: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 25)