Web Attacks Using HTTP Parameter Pollution
At the OWASP AppSec Poland 2009 web security conference two Italian security experts presented a new kind of web application attack threat. The presentation slides for the method called HTTP Parameter Pollution (HPP) are now available online.
The new attack class adds yet another method to the known ones attackers have used to inject scripts or SQL queries into HTTP GET or POST requests. Security researchers Stefano Di Paola and Luca Carettoni explain the method in their presentation through the assignment of parameter-value pairs.
The multiple parameter definitions in the following HTTP request can lead to unexpected behavior in web applications:
GET /foo?par1=val1&par1=val2 HTTP/1.1
That depends on the web application. Some take the first parameter value, some the second, others concatenate them and still others build an array.
What begins at HTTP servers ends up in frameworks and applications. Di Paola und Carettoni demonstrate the HTTP Parameter Pollution (HPP) effect on the CUPS print system web interface, during a CPAN search and in the Plone web framework. By the estimation of the two security experts, hard-coded variables can be overwritten with an HPP attack to exploit the vulnerabilities of the program. Even web application firewalls (WAFs) and other detection and repair methods could be outfoxed by the HPP attack under circumstances.
Other presentation slides show how an HPP attack interacts with program code and ties HTTP cookies and URL rewriting into the process. Further practical examples describe attacks on ModSecurity, PHPIDS, the Google Search Appliance and other web search engines, as well as Yahoo! Mail Classic.
Countermeasures suggested by Di Paola and Carettoni include applying URL encoding and using strict regular expressions (regex) with URL rewriting. Above all, they suggest being aware of the weaknesses of individual application components and to use strict filtering. The two have published an extensive white paper on the subject. The presentation slides can be downloaded from the Open Web Application Security Project (OWASP) website.
We have just added your latest post "Web Attacks Using HTTP Parameter Pollution - Linux Magazine Online" to our <a href="http://www.greenatmos.com"> Directory of Environment </a> . You can check the inclusion of the post <a href="http://greenatmos.com/story...inux-magazine-online"> here </a> . We are delighted to invite you to submit all your future posts to the <a href="http://www.greenatmos.com"> directory </a> for getting a huge base of visitors to your website and gaining a valuable backlink to your site.
Upcoming switch to HTML5-only ads is further evidence the Flash is entering its final days.
US government invests $19 billion on enhancing security and replacing ancient computer systems.
But you can still be a non-voting “individual supporter” if you pay the money
Several current systems could fall victim to the attack
Latest Linux engine comes with better graphics and support for Intel's new power-saving chips.
Hackers send a message of beauty and liberation to server logs
Citrix gets excited about new Pi-Powered XenDesktop client system
Linux on Azure cert heralds a new era for Redmond.
Proposals for presentations at the CeBIT Open Source Forum will be accepted through 24 January 2016.
Adobe looks for a new start; renames its embattled Flash tool.