tag:blogger.com,1999:blog-732257695511948254.post1533171131442325240..comments2009-05-28T00:40:49.155-07:00Claudio Criscionehttp://www.blogger.com/profile/12202628660778574382noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-732257695511948254.post-67303477078751991102009-05-28T00:40:49.155-07:002009-05-28T00:40:49.155-07:00We have just posted our reply here and on www.wisec.it<br />--<br /><br />HPP is also about:<br />1. Client Side<br />2. Server Side<br />3. WAFs Bypass<br /><br />About the specific question, you are probably mentioning:<br />http://www.fortify.com/vulncat/en/vulncat/dotnet/value_shadowing_server_variable.html<br /><br />I want to cite it:<br />"The program accesses a server variable in an ambiguous way, which can leave it open to attack. "<br /><br />This has nothing to do with HPP in the form we have shown during our presentation.<br />Please, read once again the slides and come back with any point we stated that is actually connected with HPP. In particular, about the description of the bypass, the issue is nonsense since the bypass can be easily performed by simply using:<br /><br />curl "www.example.com/ProtectedImages.aspx" -ki -H "Referrer:http://www.example.com"<br /><br />This is true, even if the code is using the right access to the referrer.<br /><br />That said, also EGPCS (Environment, GET, POST, Cookie, Server)order ,GPC $REQUEST order and register_globals are known since PHP became a widely used language. So, what’s the point?<br /><br />The order by which a server uses a value instantiated by a parameter is _only_ a part of the real issue which is about exploiting HTTP parameter injections and WAFs Bypassing (multiple layers). Speaking about HPP, you have to consider two things: (a) input validation flaws against QueryString delimiters and (b) HTTP back-ends behaviors. As said, (b) is a matter of exploitability only.<br /><br />If you have missed the HTTP Parameter Pollution FAQs, please read it.<br /><br />Regards,<br />LucaLuca Carettonihttp://www.blogger.com/profile/09957564681262364569noreply@blogger.comtag:blogger.com,1999:blog-732257695511948254.post-65982004555292100402009-05-22T12:42:06.139-07:002009-05-22T12:42:06.139-07:00Isn't HPP just another name for "value shadowing"? Value shadowing has been being flagged by at least one commercial static analyzer for a while now... Do a google search and I'm sure you will figure out which one.Jeremyhttp://www.blogger.com/profile/06300558549133430072noreply@blogger.com