HTTP Parameter Pollution (HPP) - SEaCURE.it presentation by Luca Carettoni and Stefano Di Paola
Throughout this presentation, we will present a new attack technique called HTTP Parameter Pollution (HPP). We will examine with a fresh perspective a newly discovered input validation flaw, while demonstrating new threats and possible attack scenarios. Such injection can be defined as the possibility to override the HTTP GET/POST parameters within the query string. In such situations, an attacker may replace existent values which are normally hardcoded and not accessible. In many cases it can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables as well as bypassing web application firewalls. Some of the attacks covered in this talk have been discovered in real-world applications.
Although input validation vulnerabilities are a well-known subject in the web application security field and are extensively covered by several researchers, it is quite surprising that no formal definition of the HPP attack was previously published, as far as we know. Once again, it is a clear demonstration of how important is to develop comprehensive input validation filters in order to manage new incoming web application threats
1. HTTP Parameter Pollution
Past, Present, Future
SEaCURE.it ‐ 23 October 2009 – Milan
Luca Carettoni
Independent Researcher
luca.carettoni@ikkisoft.com
Stefano di Paola
CTO @ Minded Security
stefano.dipaola@mindedsecurity.com
2. About us
Luca “ikki” Carettoni
Penetration Testing Specialist in a worldwide financial institution
Security researcher for fun (and profit)
OWASP Italy contributor
I blog @ http://blog.nibblesec.org
Keywords: web application security, ethical hacking, Java security
Stefano “wisec” Di Paola
CTO @ Minded Security Application Security Consulting
Director of Research @ Minded Security Labs
Lead of WAPT & Code Review Activities
OWASP Italy R&D Director
Sec Research (Flash Security, SWFIntruder...)
2
WebLogs http://www.wisec.it, http://blog.mindedsecurity.com
3. Agenda
Introduction
Server enumeration
Bizarre behaviors
HPP in a nutshell
HPP Categories
Server side attacks
Concept and Real world examples
Client side attacks
Concept and Real world examples
How to detect HPP issues?
FAQs
Conclusions
DISCLAIMER: This is an updated version of our previous OWASP AppSec
2009 presentation. New tricks and hacks are included!
5. Consequence
Different input validation vulnerabilities exist
SQL Injection
LDAP Injection
XML Injection
XPath Injection
Command Injection
All input validation flaws are caused by unsanitized data
flows between the front‐end and the several back‐ends
of a web application
Anyway, we still miss something here !?!
_ _ _ Injection
7. Introduction 1/2
The term Query String is commonly used to
refer to the part between the “?” and the end
of the URI
As defined in the RFC 3986, it is a series of
field‐value pairs
Pairs are separated by “&” or “;”
The usage of semicolon is a W3C
recommendation in order to avoid escaping
RFC 2396 defines two classes of characters:
Unreserved: a‐z, A‐Z, 0‐9 and _ . ! ~ * ' ( )
Reserved: ; / ? : @ & = + $ ,
8. Introduction 2/2
GET and POST HTTP request
GET /foo?par1=val1&par2=val2 HTTP/1.1 POST /foo HTTP/1.1
User-Agent: Mozilla/5.0 User-Agent: Mozilla/5.0
Host: Host Host: Host
Accept: */* Accept: */*
Content-Length: 19
par1=val1&par2=val2
Query String meta characters are &, ?, #, ; , = and
equivalent (e.g. using encoding)
In case of multiple parameters with the same
name, HTTP back‐ends behave in several ways
10. Server enumeration ‐ Summing up
Different web servers manage multiple
occurrences in several ways
Some behaviors are quite bizarre
Whenever protocol details are not strongly
defined, implementations may strongly differ
Unusual behaviors are a usual source of
security weaknesses (MANTRA!)
15. HPP in a nutshell
HTTP Parameter Pollution (HPP) is a quite simple but
effective hacking technique
HPP attacks can be defined as the feasibility to override or
add HTTP GET/POST parameters by injecting query string
delimiters
It affects a building block of all web technologies thus server‐
side and client‐side attacks exist
Exploiting HPP vulnerabilities, it may be possible to:
Override existing hardcoded HTTP parameters
Modify the application behaviors
Access and, potentially exploit, uncontrollable variables
Bypass input validation checkpoints and WAFs rules
16. HPP Categories
Classification:
Client‐side
First order HPP or Reflected HPP
Second order HPP or Stored HPP
Third order HPP or DOM Based HPP
Server‐side
Standard HPP
Second order HPP
According to our classification, Flash Parameter
Injection* may be considered as a particular
subcategory of the HPP client‐side attack
* http://blog.watchfire.com/FPI.ppt
17. Encoding & Parameters precedence
Several well‐known
encoding techniques
may be used to inject
malicious payloads
The precedence of
GET/POST/Cookie may Apache Tomcat/6.0.18
POST /foo?par1=val1&par2=val2 HTTP/1.1
influence the Host: 127.0.0.1
application behaviors
par3=val3&par4=val4
and it can also be used FIRST occurrence, GET parameter first
to override parameters
18. HPP Server Side Attacks 1/2
Suppose some code as the following:
void private executeBackendRequest(HTTPRequest request){
String amount=request.getParameter("amount");
String beneficiary=request.getParameter("recipient");
HttpRequest("http://backendServer.com/servlet/actions","POST",
"action=transfer&amount="+amount+"&recipient="+beneficiary
);
}
Which is the attack surface?
21. HPP Server Side ‐ WAFs evasion
What would happen with WAFs that do Query String parsing
before applying filters?
Some loose WAFs may analyze and validate a single parameter
occurrence only (first or last one)
Whenever the devel environment concatenates multiple
occurrences (e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …),
an aggressor can split the malicious payload
http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2>
par=<Payload_1>~~<Payload_2>
E.g. ModSecurity default core rules bypass
“Split and Join” by Lavakumar Kuppan
http://packetstormsecurity.nl/papers/attack/parameter‐pollution.pdf
22. HPP Server Side – URL Rewriting
URL Rewriting could be affected as well if
regexp are too permissive:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} .+page.php.* HTTP/
RewriteRule ^page.php.*$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)$ page.php?action=view&page=$1&id=0 [L]
http://host/abc
becomes:
http://host/page.php?action=view&page=abc&id=0
23. HPP Server Side – URL Rewriting
An attacker may try to inject:
http://host/abc%26action%3dedit
and the url will be rewritten as:
http://host/page.php?action=view&page=abc&action=edit&id=0
Once again, the impact depends on the
functionality exposed
23
26. Information leakage in Python 1/3
In Python, multiple occurrences of the same parameter generate a list
type object
In case of hardcoded functions that are not applicable to such object type,
the application may generate an exception and, consequently,
information disclosure
This is not an issue within the Python framework. Developers have to
properly handle unexpected errors as well as to avoid information leakage
In these real‐world examples, an aggressor can easily retrieve file system
paths, application source code, SQL queries, …
29. PayPal NVP API 1/4
PayPal NVP API is a programmatic interface that allows interaction with PayPal’s
business functionalities
PayPal NVP API is available for several programming languages such as ASP,
ASP.NET, PHP, Java, etc.
PayPal API requires a registered username/password and, either a signature or a
certificate, in order to identify the requestor
Example of a “GetBalance” operation:
METHOD=GetBalance&VERSION=51.0&PWD=<OMITTED>&USER=<OMITTED> &SIGNATURE=<OMITTED>
GetBalance Completed Successfully: Array
(
[L_AMT0] => 35770864%2e46
[L_CURRENCYCODE0] => USD
[TIMESTAMP] => 2009%2d10%2d19T10%3a04%3a42Z
[CORRELATIONID] => eab6e62b5727b
[ACK] => Success
[VERSION] => 51%2e0
[BUILD] => 1073465
)
30. PayPal NVP API 2/4
PayPal warns developers about potential problems.
“The request and response are URL‐encoded. URL‐encoding ensures that you can
transmit special characters, characters that are not allowed in a URL, and
characters that have special meaning in a URL, such as the equal sign and
ampersand.”
Source: https://cms.paypal.com/uk/cgi‐bin/?cmd=_render‐content&content_ID=developer/e_howto_api_soap_NVPAPIOverview
However, developers are fully responsible here. A simple mistake may cause a
critical security issue, as we are going to demonstrate
PhpNVPCodeGenerate/RefundTransaction.php is a sample script provided by
PayPal in order to speed up the API integration
In this code, $memo is declared but not included within an “urlencode()” function
(it is not used in such specific script).
What about an innocent cut&paste within your own application?
35. HPP Client Side attacks – Example
with Anti CSRF tokens 1/2
Suppose a Web GUI using Anti CSRF Tokens
// Jsp Example http://host/page.jsp?folder=inbox
<form action=“/servlets/addUser.do?folder=<%=HtmlEntities(request.getParameter(‘folder’))%>”>
<input type=“hidden” name=“tok” value=‘<%=getCSRFToken()%>’>
<input type=“hidden” name=“cmd” value=“add”>
<input type=text name=“user” value=“”>
<input type=“submit” value=“add User”>
</form>
If an attacker sends the link to the victim:
http://host/page.jsp?folder=inbox%26action%3duser=EvilUser
36. HPP Client Side attacks ‐ Example
with Anti CSRF tokens 2/2
Whatever user the victim add the value is overriden (In
case of J2ee), since the action is going to be:
// Jsp Example http://host/page.jsp?folder=inbox
<form action=“/servlets/addUser.do?folder=inbox&user=EvilUser”>
Since the Anti CSRF token is still there the action will be
executed.
Yes, depending on what cmd parameter allows to do, the
attacker could also modify/override the cmd parameter.
37. HPP Client Side attacks ‐ Example
with Anti Tampering HMAC
Suppose there’s an antitampering solution which
appends a HMAC based signature:
// http://host/shownews.php?showall=yes
<a href=“<?=Hmac(“/printnews.php?id=2&showall=”+$_GET [“showall” ] +””)?>” >print</a>
// http://host/shownews.php?showall=yes
<a href=“/printnews.php?id=2&showall=yes&hmac=89042ab23e65f4543e93” >print</a>
Yes, we can still try with HPP to tamper ‘id’ par by sending
http://host/shownews.php?showall=yes%26id=2+or+3=3
If the server takes the second occurrence then is still possible
to tamper the id parameter
38. HPP Client Side ‐ DOM based
It's about parsing unexpected parameters
It's about the generation of client side HPP via JavaScript
It's about the use of (XMLHttp)Requests on polluted pars
// It considers the first occurrence // It considers the last occurrence
function gup( name ) function argToObject () {
{ var sArgs = location.search.slice(1).split('&');
name = name.replace(/[[]/,"[").replace(/[]]/,"]"); var argObj={};
var regexS = "[?&]"+name+"=([^&#]*)"; for (var i = 0; i < sArgs.length; i++) {
var regex = new RegExp( regexS ); var r=sArgs[i].split('=')
var results = regex.exec( window.location.href ); argObj[r[0]]=r[1]
if( results == null ) }
return ""; return argObj
else }
return results[1];
}
40. Excite.it 1/2
Features:
Several parameters could be HPPed
Anti XSS using htmlEntities countermeasures
DOM HPP + Client Side HPP friendly!
http://search.excite.it/image/
?q=dog&page=1%26%71%
3d%66%75%63%6b%6f%
66%66%20%66%69%6e%
67%65%72%26%69%74%
65%6d%3d%30
41. Excite.it 2/2
Sweet dogs? Clicking on an image...
This is a kind of “content pollution”
Even if the example seems harmless, it may help to
41
successfully conduct social engineering attacks
42. Yahoo! Mail Classic
Features
Check antiCSRF
Dispatcher View
Html Entities filtering, antiXSS
HPP compliant! /* now fixed */
The dispatcher pattern helps the attacker
%26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete
%2526cmd=fmgt.emptytrash
Attack payload:
http://it.mc257.mail.yahoo.com/mc/showFolder?fid=Inbox&order=d
own&tt=245&pSize=25&startMid=0%2526cmd=fmgt.emptytrash%
26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete
44. How to detect server‐side HPP? 2/2
Enhanced web application flaws detectors (with
HPP capability) added to the latest Nessus
This is used to detect client‐side weakness too
A few other commercial and open source tools
have included this check (e.g. Cenzic)
ModSecurity added the following rule to the CRS
v.2.0.0:
SecRule ARGS_NAMES ".*" "chain,phase:2,t:none,nolog,pass,capture,setvar:'tx.arg_name_%{tx.0}=+1',msg:‘
Multiple Parameters with the same Name.'"
SecRule TX:/ARG_NAME_*/ "@gt 1"
47. Countermeasures
Speaking about HPP, several elements should be
considered:
Application business logic
Technology used
Context
Data validation (as usual!)
Output encoding
Filtering is the key to defend our systems!
Don't use HtmlEntities. They're out of context!
Instead, apply URL Encoding
Use strict regexp in URL Rewriting
Know your application environment!
48. URL encoding reference
ASP
Server.URLEncode
ASP.NET
System.Web.HttpUtility.UrlEncode
System.Web.HttpUtility.UrlDecode
Java
java.net.URLEncoder.encode
java.net.URLDecoder.decode
PHP
urlencode()
urldecode()
49. Three FAQs
Q: Most of your examples and findings use GET. What about POST ?
A: POST and COOKIE parameters may be affected as well. It is a
very interesting aspect since it gives additional flexibility for all
attacks
Q: HPP is only about WAFs bypasses?
A: Absolutely not! HPP is also about applications flow
manipulation, anti‐CSRF, content pollution
Q: Is this a new class of exploits or just another case of applications
lacking input validation?
A: Actually, HPP is an input validation flaw. As SQL Injection and
XSS, we may consider it as an injection weakness. In this specific
case, query string delimiters are the "dangerous" characters