WebApp Sec mailing list archives
Re: HTTP Parameter Pollution
From: Stefano Di Paola <stefano.dipaola () wisec it>
Date: Wed, 20 May 2009 17:58:48 +0200
Il giorno mer, 20/05/2009 alle 17.49 +0200, Ivan Ristic ha scritto:
On Wed, May 20, 2009 at 5:30 PM, Stefano Di Paola <stefano.dipaola () wisec it> wrote:... Having said that, we think there's something you're missing from the application point of view. The fact that the web server behavior does not affects HPP, would be correct only, and only if, there is no other hardcoded parameter. But think about: URL #1 http://backend.server/doSomething?action=view&key=$param and URL #2 http://backend.server/doSomething?key=$param&action=view Given that the injection is the issue, and that the attack is: value%26action=delete%23 which is the safe url and which the vulnerable one?Both are vulnerable because both can be manipulated. Only one is exploitable. The difference here is that I don't care about exploitability and you do. My view is that if I don't know how to exploit a vulnerability that does not mean that there isn't someone else who can :) That's why, in my view, the additional technique you need for exploitability does not matter.
:) agree. Nevertheless the impact in risk analysis changes. Also, the client side HPP is a way to warn developers and reviewers to pay attention in the right way to encode output in its own context: htmlentities Vs. UrlEncoding. Stefano & Luca -- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it ..................
Current thread:
- Re: [WEB SECURITY] HTTP Parameter Pollution, (continued)
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 22)
- Message not available
- Message not available
- Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution bugtraq (May 19)
- Message not available
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Stefano Di Paola (May 19)
- Message not available
- Re: [WEB SECURITY] HTTP Parameter Pollution Stefano Di Paola (May 20)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Ivan Ristic (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: HTTP Parameter Pollution Stefano Di Paola (May 22)
- Re: [WEB SECURITY] Re: HTTP Parameter Pollution Ivan Ristic (May 22)