×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

Http Parameter Pollution, a new category of web attacks

by on May 19, 2009

  • 40,771 views

On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called...

On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).

HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.

Statistics

Views

Total Views
40,771
Views on SlideShare
26,070
Embed Views
14,701

Actions

Likes
10
Downloads
336
Comments
2

71 Embeds 14,701

http://www.securitytube.net 4109
http://www.rafayhackingarticles.net 3654
http://prohackersden.blogspot.com 2744
http://feeds.feedburner.com 928
http://www.elladodelmal.com 900
http://www.protezioneaccount.com 448
http://bharath-marrivada.blogspot.com 440
http://bharath-marrivada.blogspot.in 434
http://www.nsai.it 290
http://securitytube.net 178
http://prajwal-tuladhar.net.np 93
http://blog.segu-info.com.ar 90
http://feeds2.feedburner.com 57
http://bharath-marrivada.blogspot.co.uk 44
http://translate.googleusercontent.com 44
http://www.slideshare.net 43
http://static.slidesharecdn.com 30
http://bharath-marrivada.blogspot.ca 19
http://blog.neodyme.net 14
http://www.bonweb.fr 12
http://bharath-marrivada.blogspot.com.au 10
http://webcache.googleusercontent.com 8
http://bharath-marrivada.blogspot.de 7
http://www.neodyme.net 6
http://bharath-marrivada.blogspot.com.br 5
http://bharath-marrivada.blogspot.fr 5
http://bharath-marrivada.blogspot.tw 5
http://bharath-marrivada.blogspot.sg 5
http://toysone.blogspot.com 5
http://bharath-marrivada.blogspot.ro 4
http://rsscorner.com 4
http://www.plurk.com 4
http://bharath-marrivada.blogspot.fi 3
http://bharath-marrivada.blogspot.kr 3
http://securitytube-hrd.appspot.com 3
http://www.prohackersden.blogspot.com 3
http://bharath-marrivada.blogspot.nl 3
http://bharath-marrivada.blogspot.com.ar 3
http://bharath-marrivada.blogspot.co.nz 3
http://bharath-marrivada.blogspot.hk 2
http://twitter.com 2
http://37com.mail.everyone.net 2
http://www.bharath-marrivada.blogspot.in 2
http://bharath-marrivada.blogspot.cz 2
http://2.securitytube-hrd.appspot.com 2
http://bharath-marrivada.blogspot.ru 2
http://bharath-marrivada.blogspot.no 2
http://macacosabetudo.blogspot.com.br 2
http://bharath-marrivada.blogspot.ae 1
http://www.slashdocs.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2 previous next

  • zchalex Zch Alex at Trend Micro Http Parameter Pollution, a new category of web attacks 2 years ago
    Are you sure you want to
    Your message goes here
    Processing…
  • mnot Mark Nottingham, person at mnot.net HTTP doesn't define the syntax of query strings; the format you're talking about is defined by HTML. So, it'd be more accurate to call this something else. 2 years ago
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Http Parameter Pollution, a new category of web attacks Http Parameter Pollution, a new category of web attacks Presentation Transcript