lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <d47e34a5fc83c1e2e755c9cf80519c54@ikkisoft.com>
Date: Tue, 19 May 2009 14:34:03 +0200
From: "Luca.carettoni" <luca.carettoni@...isoft.com>
To: bugtraq@...urityfocus.com
Cc: webappsec@...ts.owasp.org, news@...uriteam.com,
	stefano.dipaola@...ec.it
Subject: HTTP Parameter Pollution

Hi Folks,
              during OWASP AppSec 2009 we have presented a newly discovered input validation vulnerability called "HTTP Parameter Pollution" (HPP). 

Basically, it can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. 
During the last months, we have discovered several real world flaws in which HPP can be used to modify the application behaviors, access uncontrollable variables and even bypass input validation checkpoints and WAFs rules. Exploiting such HPP vulnerabilities, we have found several problems in some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and many other products.

If you enjoy the web security world, you are kindly invited to have a look at:	 
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

We're going to release additional materials in the next future, including a video of the Yahoo! attack vector. 
Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org

Cheers,
Luca Carettoni and Stefano Di Paola

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ