Tuesday, May 19, 2009

HTTP Parameter Pollution (HPP)

As you know, on May 14th @ OWASP AppSec Poland 2009, me and Stefano di Paola have presented a new attack category called HTTP Parameter Pollution (HPP).

HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. It affects a building block of all web technologies thus server-side as well as client-side attacks exist.





Exploiting HPP vulnerabilities, it may be possible to:
  • Override existing hardcoded HTTP parameters
  • Modify the application behaviors
  • Access and, potentially exploit, uncontrollable variables
  • Bypass input validation checkpoints and WAFs rules
Just to whet your appetite, we can anticipate that by researching real world HPP vulnerabilities, we have discovered issues on some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and several other products.

You can download the slides of the talk here or browse it on Slideshare.

Also, we'll release a whitepaper in order to clarify all details about HPP.
As last news, the video of the "Yahoo! Classic Mail" client side HPP exploitation will be available soon on this blog. That's all for now.

Cheers,
Ikki

5 comments:

  1. Isn't HPP just another name for "value shadowing"? Value shadowing has been being flagged by at least one commercial static analyzer for a while now... Do a google search and I'm sure you will figure out which one.

    ReplyDelete
  2. We have just posted our reply here and on www.wisec.it
    --

    HPP is also about:
    1. Client Side
    2. Server Side
    3. WAFs Bypass

    About the specific question, you are probably mentioning:
    http://www.fortify.com/vulncat/en/vulncat/dotnet/value_shadowing_server_variable.html

    I want to cite it:
    "The program accesses a server variable in an ambiguous way, which can leave it open to attack. "

    This has nothing to do with HPP in the form we have shown during our presentation.
    Please, read once again the slides and come back with any point we stated that is actually connected with HPP. In particular, about the description of the bypass, the issue is nonsense since the bypass can be easily performed by simply using:

    curl "www.example.com/ProtectedImages.aspx" -ki -H "Referrer:http://www.example.com"

    This is true, even if the code is using the right access to the referrer.

    That said, also EGPCS (Environment, GET, POST, Cookie, Server)order ,GPC $REQUEST order and register_globals are known since PHP became a widely used language. So, what’s the point?

    The order by which a server uses a value instantiated by a parameter is _only_ a part of the real issue which is about exploiting HTTP parameter injections and WAFs Bypassing (multiple layers). Speaking about HPP, you have to consider two things: (a) input validation flaws against QueryString delimiters and (b) HTTP back-ends behaviors. As said, (b) is a matter of exploitability only.

    If you have missed the HTTP Parameter Pollution FAQs, please read it.

    Regards,
    Luca

    ReplyDelete