June 15, 2009 - 22:31 UTC - Tags: OWASP security HPP parameters
What happens if you submit the same parameter twice in an HTTP request? This is what Luca Carettoni and Stefano Dipaola asked themselves. And the answer they found, which was presented at OWASP AppSecEU09, was both scary and interesting.
It seems different web servers handle this situation in very different ways. Given par1=val1&par1=val2 in the URI or POST body, ASP.NET will return "val1,val2". Perl as mod_perl on apache will create an array, while Python/Zope will return ['val1','val2']. Other web servers return first or last parameter. See the full list on slide 9 in their presentation.
The problem becomes bigger, when we take into account that many applications do their own parameter parsing. And in some cases this means they will validate one parameter, while using another. You will see an example of using different values on slide 13.
See the slides or the video recording of the presentation for more examples.
Comments closed for this post
It seems different web servers handle this situation in very different ways. Given par1=val1&par1=val2 in the URI or POST body, ASP.NET will return "val1,val2". Perl as mod_perl on apache will create an array, while Python/Zope will return ['val1','val2']. Other web servers return first or last parameter. See the full list on slide 9 in their presentation.
The problem becomes bigger, when we take into account that many applications do their own parameter parsing. And in some cases this means they will validate one parameter, while using another. You will see an example of using different values on slide 13.
See the slides or the video recording of the presentation for more examples.
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
