HTTP Parameter Pollution FAQs

We have received numerous public replies as well as several private emails.
Thanks for your comments, suggestions and feedbacks.

It's now time to summarize and clarify some points.

Q: Is this a new class of exploits or just another case of applications lacking input validation?
A: Actually, HPP is an input validation flaw. As SQL Injection and XSS, we may consider it as an injection weakness. In this specific case, query string delimiters are the "dangerous" characters.

Q: You are saying that several HTTP back-ends manage multiple occurrences in different ways. In some cases, it may be abused in order to fingerprint the underline back-end. Is it right?
A: Yes, sure. However, considering the granularity available, we don't think it is really so interesting.

Q: This is a known attack. You guys presented a bunch of interesting but already known techniques to exploit different vulnerabilities.
A: Actually, we think we have contributed (in some way) to the current state-of-art showing this issue. However, even if it is currently used by "hardcore" attackers, it's very important to formalize a threat in order to mitigate the issue and create efficient workarounds. The aim of the entire research is to raise awareness around this problem. In future, we would like to include HPP within the OWASP Testing Guide in order to provide the right methodology for testing systems against HPP-like attacks as well. We strongly believe that sharing such knowledge may increase the security of all web applications.

Q: Most of your examples and findings use GET parameters. What about POST?
A: POST and COOKIE parameters may be affected as well. In slide #11 and #19, we have briefly stated that and you will see further research because it is a very interesting aspect since it gives additional flexibility for all attacks.

Q: In the current version of IE8, is the XSS Filter still vulnerable to HPP?
A: No! We had a discussion with the IE XSS Filter guy at Microsoft and turns out that the current version is NOT affected. All previous tests were done against the beta release and we didn't double check the latest one. We are sorry for this misunderstanding.

Q: Are multiple occurrences of a parameter valid according to the RFC, W3C, whatever?
A: Yes! Yes! The only thing which in fact was worth mentioning is the lack of standard in the management of multiple occurrences and NOT the presence of multiple occurrences themselves. After all, that's why it is possible to abuse the query string delimiters injection flaw.

Q: Is Yahoo! Mail still vulnerable to HPP?
A: Difficult to say. However, the specific issue was patched thus it cannot be abused by malicious users.

Q: Could you provide additional details regarding the Yahoo! Classic Mail HPP attack?
A: We've just published HERE an in-depth review of the issue with the video PoC as well.

Q: What's the right way of managing multiple occurrences? Is there a "perfect" framework?
A: No, there are no right o wrong behaviors as well as we cannot refer to a right or wrong web servers/web frameworks. The behavior of the HTTP back-ends is a matter of exploitability only.

Q: HPP is only about WAFs bypasses?
A: Absolutely not! HPP is also about applications flow manipulation, anti-CSRF, content pollution.

Q: How can I prevent HPP?
A: First of all, answer yourself "Which layer am I protecting?". Then, speaking about HPP server side, it's always important to use URL encoding whenever you do GET/POST HTTP requests to an HTTP back-end. From the client-side point of view, use URL encoding whenever you are going to include user-supplied content within links, etc.

Q: Am I vulnerable to HPP?
A: It depends on how you are managing several occurrences of the same parameter from the application point of view. Using strict input validation checkpoints and the right output filtering (URL encoding), you are likely secure (at least, against HPP).

That's all, for now.


HTTP Parameter Pollution (HPP)

As you know, on May 14th @ OWASP AppSec Poland 2009, me and Stefano di Paola have presented a new attack category called HTTP Parameter Pollution (HPP).

HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. It affects a building block of all web technologies thus server-side as well as client-side attacks exist.

Exploiting HPP vulnerabilities, it may be possible to:

  • Override existing hardcoded HTTP parameters
  • Modify the application behaviors
  • Access and, potentially exploit, uncontrollable variables
  • Bypass input validation checkpoints and WAFs rules
Just to whet your appetite, we can anticipate that by researching real world HPP vulnerabilities, we have discovered issues on some Google Search Appliance front-end scripts,, Yahoo! Mail Classic and several other products.

You can download the slides of the talk here or browse it on Slideshare.

Also, we'll release a whitepaper in order to clarify all details about HPP.
As last news, the video of the "Yahoo! Classic Mail" client side HPP exploitation will be available soon on this blog. That's all for now.


MiTM on VMware Server

Since a little more than year I've been researching on virtualization security, focusing on "real" issues - not the low level stuff which is unlikely to ever turn into an exploit in the real world.
Finally the company I work for rolled out a virtualization security service and people are releasing actual attacks on such infrastructures and it's time to join the party.

I'll start by releasing a very simple tool which is able to perform MITM against VMware Server Console. Isn't that trivial, you might wonder?
Well, as a matter of fact the tool is very simple and error prone: this alpha version is little more than a loop with a couple of connect which was first sketched by Snagg and which I then finished with my non-existant Python coding skills.

But, actually, there are a couple of facts which make this tool interesting.

Fact 1: VMware console will not check for the SSL certificate and won't even warn the user about a wrong certificate. Bad, very bad.

Fact 2: Most SSL MiTM tools will just fail in working with VMware Console since before the SSL connection is enstablished, an unencrypted line is sent through the socket in plaintext, effectively crashing any tool I know about.

Fact 3: The password is not actually sent in cleartext through the pipe. More on this in future posts.

You can grab the alchemic python solution here, but keep in mind that it is mightly unstable in the current version.

Making OWASP AppSec 2009 virtual

The most interesting Web App Security conference is here, in Krakow.
OWASP AppSec 2009 is a great event, indeed. We're having fun, sharing ideas and trying to build the next webapp security, all together. No flags, no commercial slogans.

If you do not have the chance to attend the conference in these days, you may virtually join us. Seba and the other guys have organized a 360 degree coverage using blogs, Twitter, Flickr, ...

In few hours, together with Stefano di Paola, we are going to present our research on HTTP Parameter Pollution (HPP). As we like to say, HPP is a quite simple but effective hacking technique. It can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables and even to bypass web application firewalls. As you will see, it’s a kind of unbelievable story. Further details and the slides will be published as soon as possible.


Mac Hacking Class and presentation at BH USA


so a bit of advertisement for me.
I will do a training at Black Hat USA on Mac OS X hacking, I'm really looking forward to having you as students!
Register yourself here

The class will explain how to assess the security of Mac OS X from the ground up, including how to deal with heap and stack exploitation, Objective-C reversing, Mach API abusing, advanced payload writing and differences between iPhone and OSX exploitation.

Anyway if for whatever reason you can't attend my class(and in that case I'll be very sad), I'll speak with Charlie Miller at the Briefings. Here's the abstract