lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20101208204237.1ffa55a4@kasper>
Date: Wed, 8 Dec 2010 20:42:37 +0100
From: embyte <embyte@...lab.it>
To: bugtraq@...urityfocus.com
Subject: Follow-up on HTTP Parameter Pollution

Hi all,

I have just blogged about a research we recently did on HTTP Parameter
Pollution [1]. I would like to share it with you.

HPP attacks consist of injecting encoded query string delimiters into
other existing parameters. If a web application does not properly
sanitize the user input, a malicious user can compromise the logic of
the application to perform either client-side or server-side attacks.
One consequence of HPP attacks is that the attacker can potentially
override existing hard-coded HTTP parameters to modify the behavior of
an application, bypass input validation checkpoints, and access and
possibly exploit variables that may be out of direct reach.

To the best of our knowledge, no tools have been presented to date for
the detection of this sort of vulnerabilities and no studies have been
published on the topic. The most effective means of discovering HPP
vulnerabilities in websites is via manual inspection. At the same time,
it is unclear how common and significant a threat HPP vulnerabilities
are in existing web applications.

We, therefore,  decided to dig deeper into the detection problem and
create the first automated system for the detection of HPP
vulnerabilities in web applications. We then tested more than 5,000
popular web sites (taken from Alexa) and we discovered that 1499 of
them contained at least one vulnerable page.  That is, the tool was
able to automatically inject an encoded parameter inside one of the
existing parameters, and was then able to verify that its URL-decoded
version was included in one of the URLs (links or forms) of the
resulting page.

The problems we identified affected many important and well-known
websites (e.g., Microsoft, Google, Symantec, Paypal, Facebook, etc..).
After we notified them, we had the problems acknowledged and some
patched.

We are now came online with a free service to test web applications
(called PAPAS) and the PDF of the paper. -link is below- 

Cheers.

[1]
http://blog.iseclab.org/2010/12/08/http-parameter-pollution-so-how-many-flawed-applications-exist-out-there-we-go-online-with-a-new-service/

-- 
bash$ :(){ :|:&};: Computer Science belongs to all Humanity! 
Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc
Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ