comments (not for humans)

[Security] HPP - HTTP Parameter Pollution

June 15, 2009 - 22:31 CEST   -   Tags: OWASP security HPP parameters What happens if you submit the same parameter twice in an HTTP request? This is what Luca Carettoni and Stefano Dipaola asked themselves. And the answer they found, which was presented at OWASP AppSecEU09, was both scary and interesting.

It seems different web servers handle this situation in very different ways. Given par1=val1&par1=val2 in the URI or POST body, ASP.NET will return "val1,val2". Perl as mod_perl on apache will create an array, while Python/Zope will return ['val1','val2']. Other web servers return first or last parameter. See the full list on slide 9 in their presentation.

The problem becomes bigger, when we take into account that many applications do their own parameter parsing. And in some cases this means they will validate one parameter, while using another. You will see an example of using different values on slide 13.

See the slides or the video recording of the presentation for more examples.

Tweet
submit to reddit
Submit
Comments | Permalink | | This entry has been viewed 1417 time(s).
Add comment:
Spam will be deleted.
Name:

Email:
(For Gravatar - will not be displayed)
Comment:

[i]text[/i] for italic, [b]text[/b] for bold, [u]text[/u] for underline, [code]text[/code] for monospace
Please multiply 7 and 3 (anti-spam purpose). Enter the result below:

About Erlend
I'm a senior consultant at Bekk Consulting AS. This blog is about software development, with a special focus on security.

Follow me on twitter
Latest posts
31.08 [Security] Rails 3.0 and XSS-protection
6.07 [Security] Avoiding NoSQL-injection with MongoDB
27.06 [Security] NOSQL-injection
7.06 [.NET] Microsoft Pex - exploratory testing
18.05 [Security] Security podcasts
Tag cloud
.net, .netspec, adam, ad lds, ajax, asp.net, authorization, axis, bdd, certificates, conference, cookie, craftsman, crossdomain, cross site scripting, csrf, css, escaping, firefox, flash, flex, httponly, input validation, javascript, jquery, jsonp, nosql, nosql-injection, output escaping, owasp, password, phishing, ql-injection, rails, rfi, security, silverlight, spam, speaker, sql-injection, sql injection, ssl, talk, tdd, testing, unit testing, web services, wse, wss4j, x509, xml, xsrf, xss
Categories
All - [RSS]
.NET - [RSS]
Agile - [RSS]
CSS/HTML/Js - [RSS]
Frameworks - [RSS]
Java - [RSS]
Security - [RSS]
Testing - [RSS]
Web Services - [RSS]
Blogroll
Honeynor
BEKK Open
movito
Vidar's musings
Aslak Hellesøy
Geekbeing's rants
Jeremiah Grossman
RSnake
Mike Andrews
Schneier on security
Michael Sutton's blog
Network security blog
On code development
Change is nothing, everything is
leif
hamang.net
Andreas' code blog
The Dilbert Blog
Pearls before swine
(IN)SECURE Magazine