×
  • Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
 

HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)

by IT Security Researcher on Mar 18, 2011

  • 3,909 views

While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as ...

While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.

In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.

Statistics

Views

Total Views
3,909
Views on SlideShare
3,902
Embed Views
7

Actions

Likes
0
Downloads
77
Comments
0

3 Embeds 7

http://www.linkedin.com 5
http://swsloan.tumblr.com 1
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via SlideShare as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
Post Comment
Edit your comment

HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011) HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011) Presentation Transcript