Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: FW: HTTP Parameter Pollution
From: "Luca.carettoni" <luca.carettoni () ikkisoft com>
Date: Thu, 21 May 2009 14:20:50 +0200

Thanks!
If you have an interesting finding and you would like to share it with us, we may consider including it in the 
whitepaper. 
This is true for Marco as well as for all of you.  Several HPP-like flaws are probably around and awareness is the key 
to resolve the issue.

Cheers,
Luca & Stefano

-----Original message-----
From: Marco Mella marco.mella () gmail com
Date: Thu, 21 May 2009 09:39:49 +0200
To: stefano.dipaola () wisec it,  luca.carettoni () ikkisoft com
Subject: Re: FW: HTTP Parameter Pollution

Hi Stefano, Luca.Very good job.
I think that HPP open new very interesting perspective for web application
security on both side of medal, attack and defense.
I have tried some web site and I have found very interesting side-effect of
HPP.

Cheers,
Marco

Hi guys,

during OWASP AppSec Poland 2009 we presented a newly discovered input
validation vulnerability called "HTTP Parameter Pollution" (HPP).

Basically, it can be defined as the feasibility to override or add HTTP
GET/POST parameters by injecting query string delimiters.

In the last months, we have discovered several real world flaws in which
HPP can be used to modify the application behaviors, access
uncontrollable variables and even bypass input validation checkpoints
and WAFs rules.

Exploiting such HPP vulnerabilities, we have found several problems in
some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
Classic and many other products.

If you are interested, you are kindly invited to have a look at:
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

We're going to release additional materials in the next future,
including a video of the Yahoo! attack vector.

Stay tuned on http://blog.mindedsecurity.com and
http://blog.nibblesec.org

Cheers,
Stefano Di Paola and Luca Carettoni

--
Stefano Di Paola
Chief Technology Officer, LA/ISO27001
Minded Security Research Labs Director

Minded Security - Application Security Consulting

Official Site: www.mindedsecurity.com

Personal Blog: www.wisec.it/sectou.php
..................




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault