Web Application Security
Back to list
Re: FW: HTTP Parameter Pollution
May 21 2009 12:20PM
Luca.carettoni (luca carettoni ikkisoft com)
If you have an interesting finding and you would like to share it with us, we may consider including it in the whitepaper.
This is true for Marco as well as for all of you. Several HPP-like flaws are probably around and awareness is the key to resolve the issue.
Luca & Stefano
From: Marco Mella marco.mella (at) gmail (dot) com [email concealed]
Date: Thu, 21 May 2009 09:39:49 +0200
To: stefano.dipaola (at) wisec (dot) it [email concealed], luca.carettoni (at) ikkisoft (dot) com [email concealed]
Subject: Re: FW: HTTP Parameter Pollution
> Hi Stefano, Luca.Very good job.
> I think that HPP open new very interesting perspective for web application
> security on both side of medal, attack and defense.
> I have tried some web site and I have found very interesting side-effect of
> Hi guys,
> > during OWASP AppSec Poland 2009 we presented a newly discovered input
> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
> > Basically, it can be defined as the feasibility to override or add HTTP
> > GET/POST parameters by injecting query string delimiters.
> > In the last months, we have discovered several real world flaws in which
> > HPP can be used to modify the application behaviors, access
> > uncontrollable variables and even bypass input validation checkpoints
> > and WAFs rules.
> > Exploiting such HPP vulnerabilities, we have found several problems in
> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> > Classic and many other products.
> > If you are interested, you are kindly invited to have a look at:
> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> > We're going to release additional materials in the next future,
> > including a video of the Yahoo! attack vector.
> > Stay tuned on http://blog.mindedsecurity.com and
> > http://blog.nibblesec.org
> > Cheers,
> > Stefano Di Paola and Luca Carettoni
> > --
> > Stefano Di Paola
> > Chief Technology Officer, LA/ISO27001
> > Minded Security Research Labs Director
> > Minded Security - Application Security Consulting
> > Official Site: www.mindedsecurity.com
> > Personal Blog: www.wisec.it/sectou.php
> > ..................
[ reply ]
Copyright 2010, SecurityFocus