Hi all, I have just blogged about a research we recently did on HTTP Parameter Pollution [1]. I would like to share it with you. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. To the best of our knowledge, no tools have been presented to date for the detection of this sort of vulnerabilities and no studies have been published on the topic. The most effective means of discovering HPP vulnerabilities in websites is via manual inspection. At the same time, it is unclear how common and significant a threat HPP vulnerabilities are in existing web applications. We, therefore, decided to dig deeper into the detection problem and create the first automated system for the detection of HPP vulnerabilities in web applications. We then tested more than 5,000 popular web sites (taken from Alexa) and we discovered that 1499 of them contained at least one vulnerable page. That is, the tool was able to automatically inject an encoded parameter inside one of the existing parameters, and was then able to verify that its URL-decoded version was included in one of the URLs (links or forms) of the resulting page. The problems we identified affected many important and well-known websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..). After we notified them, we had the problems acknowledged and some patched. We are now came online with a free service to test web applications (called PAPAS) and the PDF of the paper. -link is below- Cheers. [1] http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/ -- bash$ :(){ :|:&};: Computer Science belongs to all Humanity! Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)
