Peaches Posted May 21, 2009 Report Share Posted May 21, 2009 20 May 2009, 12:58New type of attack on web applications: Parameter Pollution At the recent OWASP conference, the Italian security experts Luca Carettoni and Stefano Di Paola demonstrated a new way of manipulating web applications and tricking security systems: HTTP Parameter Pollution (HPP). This form of attack essentially involves submitting the parameters in GET and POST requests in unusual form or order, or with unusual delimiters. A request like: GET /foo?par1=val1&par2=val2 HTTP/1.1will be processed in the normal way, while GET /foo?par1=val1&par1=val2 HTTP/1.1with two occurrences of par1 can result in various different server-side variable interpretations, depending on the web server's or application's parsing routine. According to Carettoni and Di Paola, this can cause the application to behave in an unwanted and highly unpredictable way and result in security issues.Web application firewalls (WAFs) and server security extensions are also vulnerable to HPP attacks. While Apache's ModSecurity module recognises an SQL-injection attack like /index.aspx?page=select 1,2,3 from table where id=1it fails to detect /index.aspx?page=select 1&page=2,3 from table where id=1say the security experts. HPP can reportedly also be exploited for launching Cross-Site-Scripting attacks (XSS) on web browsers. The XSS filter of Internet Explorer 8 is apparently among the components vulnerable to this kind of attack.Carettoni and Di Paola recommend stricter filtering and URL encoding to counteract HPP. They also recommend using strict regular expressions in URL rewriting. (djwm) Heise security - http://www.h-online.com/security/New-type-...n--/news/113333>>>>>>>>>>>>>>>> Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.