Http Parameter Pollution, a new category of web attacks

Stefano Di Paola
Stefano Di PaolaCTO & Chief Scientist at Minded Security
HTTP Parameter Pollution



                   Luca Carettoni
                   Independent Researcher
                   luca.carettoni@ikkisoft.com

                   Stefano di Paola
OWASP              CTO @ Minded Security
                   stefano.dipaola@mindedsecurity.com
EU09 Poland
              Copyright © The OWASP Foundation
              Permission is granted to copy, distribute and/or modify this document
              under the terms of the OWASP License.




              The OWASPAppSecEU09 Poland
                    OWASP
                          Foundation
              http://www.owasp.org
About us

 Luca “ikki” Carettoni
 Penetration Testing Specialist in a worldwide financial institution
 Security researcher for fun (and profit)
 OWASP Italy contributor
 I blog @ http://blog.nibblesec.org
 Keywords: web application security, ethical hacking, Java security



 Stefano “wisec” Di Paola
 CTO @ Minded Security Application Security Consulting
 Director of Research @ Minded Security Labs
 Lead of WAPT & Code Review Activities
 OWASP Italy R&D Director
 Sec Research (Flash Security, SWFIntruder...)
 WebLogs http://www.wisec.it, http://blog.mindedsecurity.com

                                                     OWASP AppSecEU09 Poland   2
Agenda

 Introduction
   Server enumeration
 HPP in a nutshell
   HPP Categories
 Server side attacks
   Concept
   Real world examples
 Client side attacks
   Concept
   Real world examples

                         OWASP AppSecEU09 Poland
Fact

In modern web apps, several application layers are involved




                                   OWASP AppSecEU09 Poland
Consequence

Different input validation vulnerabilities exist
   SQL Injection
   LDAP Injection
   XML Injection
   XPath Injection
   Command Injection
All input validation flaws are caused by unsanitized data
flows between the front-end and the several back-ends of a
web application
Anyway, we still miss something here !?!
   _ _ _ Injection



                                      OWASP AppSecEU09 Poland
An unbelievable story…




 There is no formal definition of an injection triggered by
 query string delimiters
 As far as we know, no one has never formalized an
 injection based attack against delimiters of the most used
 protocol on the web: HTTP
 HPP is surely around since many years, however it is
 definitely underestimated
 As a result, several vulnerabilities have been discovered in
 real-world applications
                                    OWASP AppSecEU09 Poland
Introduction 1/2

 The term Query String is commonly used to
 refer to the part between the “?” and the end of
 the URI
 As defined in the RFC 3986, it is a series of field-
 value pairs
 Pairs are separated by “&” or “;”
 The usage of semicolon is a W3C
 recommendation in order to avoid escaping
 RFC 2396 defines two classes of characters:
    Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( )
    Reserved: ; / ? : @ & = + $ ,
                                    OWASP AppSecEU09 Poland
Introduction 2/2

      GET and POST HTTP request
GET /foo?par1=val1&par2=val2 HTTP/1.1   POST /foo HTTP/1.1
User-Agent: Mozilla/5.0                 User-Agent: Mozilla/5.0
Host: Host                              Host: Host
Accept: */*                             Accept: */*
                                        Content-Length: 19

                                        par1=val1&par2=val2c


     Query String meta characters are &, ?, #, ; , =
     and equivalent (e.g. using encoding)
     In case of multiple parameters with the same
     name, HTTP back-ends behave in several ways

                                            OWASP AppSecEU09 Poland
Server enumeration - List




                            OWASP AppSecEU09 Poland
Server enumeration - Summing up

 Different web servers manage multiple
 occurrences in several ways
 Some behaviors are quite bizarre
 Whenever protocol details are not strongly
 defined, implementations may strongly differ
 Unusual behaviors are a usual source of security
 weaknesses (MANTRA!)




                             OWASP AppSecEU09 Poland
Additional considerations 1/2

 As mentioned, ASP and ASP.NET concatenate the values
 with a comma in between
 This applies to the Query String and form parameters in
 ASP and ASP.NET
    Request.QueryString
    Request.Form
 Cookies have similar property in ASP.NET
    Request.Params[“par”]    POST /index.aspx?par=1&par=2 HTTP/1.1
    par = 1,2,3,4,5,6        User-Agent: Mozilla/5.0
                             Host: Host
                             Cookie: par=5; par=6
                             Content-Length: 19

                             par=3&par=4

                                   OWASP AppSecEU09 Poland
Additional considerations 2/2

 Unfortunately, application behaviors in case of multiple occurrences
 may differ as well
 This is strongly connected with the specific API used by our code
 In Java, for example:
     javax.servlet.ServletRequest Interface (Query String direct parsing)
     java.lang.String getParameter(java.lang.String name)
    Returns the value of a request parameter as a String, or null if the
    parameter does not exist
    java.lang.String[] getParameterValues(java.lang.String name)
    Returns an array of String objects containing all of the values the given
    request parameter has, or null if the parameter does not exist

 As a result, the applications may react in unexpected ways…as you
 will see!



                                              OWASP AppSecEU09 Poland
A bizarre behavior 1/4 - HPPed !




                           OWASP AppSecEU09 Poland
A bizarre behavior 2/4 - HPPed !




                           OWASP AppSecEU09 Poland
A bizarre behavior 3/4 - HPPed !




                           OWASP AppSecEU09 Poland
A bizarre behavior 4/4 - HPPed !




Since this error generates
~100 lines in the log file, it
may be used to obfuscate
other attacks
                                 OWASP AppSecEU09 Poland
HPP in a nutshell

 HTTP Parameter Pollution (HPP) is a quite simple
 but effective hacking technique
 HPP attacks can be defined as the feasibility to override
 or add HTTP GET/POST parameters by injecting query
 string delimiters
 It affects a building block of all web technologies thus
 server-side and client-side attacks exist
 Exploiting HPP vulnerabilities, it may be possible to:
    Override existing hardcoded HTTP parameters
    Modify the application behaviors
    Access and, potentially exploit, uncontrollable variables
    Bypass input validation checkpoints and WAFs rules

                                          OWASP AppSecEU09 Poland
HPP Categories
    We are not keen on inventing yet another buzzword.
    However, the standard vulnerability nomenclature seems
    lacking this concept

    Classification:
         Client-side
          1. First order HPP or Reflected HPP
          2. Second order HPP or Stored HPP
          3. Third order HPP or DOM Based HPP
         Server-side
          1. Standard HPP
          2. Second order HPP

    According to our classification, Flash Parameter Injection*
    may be considered as a particular subcategory of the HPP
    client-side attack

* http://blog.watchfire.com/FPI.ppt             OWASP AppSecEU09 Poland
Encoding & GET/POST/Cookie precedence

 Several well-known
 encoding techniques may
 be used to inject
 malicious payloads

 The precedence of
 GET/POST/Cookie may         Apache Tomcat/6.0.18

 influence the application   POST /foo?par1=val1&par1=val2 HTTP/1.1
                             Host: 127.0.0.1
 behaviors and it can also
 be used to override         par1=val3&par1=val4

 parameters                  FIRST occurrence, GET parameter first




                                     OWASP AppSecEU09 Poland
HPP Server Side Attacks 1/2

  Suppose some code as the following:

void private executeBackendRequest(HTTPRequest request){

String amount=request.getParameter(quot;amountquot;);
String beneficiary=request.getParameter(quot;recipientquot;);

HttpRequest(quot;http://backendServer.com/servlet/actionsquot;,quot;POSTquot;,
    quot;action=transfer&amount=quot;+amount+quot;&recipient=quot;+beneficiary);
}



  Which is the attack surface?


                                               OWASP AppSecEU09 Poland
HPP Server Side Attacks 2/2

  A malicious user may send a request like:

http://frontendHost.com/page?amount=1000&recipient=Mat%26action%
3dwithdraw

  Then, the frontend will build the following back-end request:
   HttpRequest(quot;http://backendServer.com/servlet/actionsquot;,quot;POSTquot;,
       quot;action=transfer&amount=quot;+amount+quot;&recipient=quot;+beneficiary);


   action=transfer&amount=1000&recipient=Mat&action=withdraw

  Obviously depends on how the application will manage the
  occurrence


                                           OWASP AppSecEU09 Poland
HPP Server Side - WebApp Firewalls

 What would happen with WAFs that do Query String parsing before
 applying filters?
 HPP can be used even to bypass WAFs ☺
 Some loose WAFs may analyze and validate a single parameter
 occurrence only (first or last one)
 Whenever the devel environment concatenates multiple occurrences
 (e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …), an aggressor can
 split the malicious payload.
          http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2>




                         par=<Payload_1>~~<Payload_2>

                                                OWASP AppSecEU09 Poland
HPP Server Side – URL Rewriting

 URL Rewriting could be affected as well if
 regexp are too permissive:
  RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} .+page.php.* HTTP/
  RewriteRule ^page.php.*$ - [F,L]

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^([^/]+)$ page.php?action=view&page=$1&id=0 [L]


   http://host/abc

   becomes:

   http://host/page.php?action=view&page=abc&id=0

                                             OWASP AppSecEU09 Poland
HPP Server Side – URL Rewriting issues

 An attacker may try to inject:
               http://host/abc%26action%3dedit


 and the url will be rewritten as:

  http://host/page.php?action=view&page=abc&action=edit&id=0


 Obviously, the impact depends on the
 functionality exposed



                                      OWASP AppSecEU09 Poland   24
Real World Examples



    Server Side Attacks



                   OWASP AppSecEU09 Poland
Google Search Appliance - HPPed !

 Once upon a time, during an assessment for XXX…
 GSA was the LAN search engine exposed for public search as well,
 with only three controllable values
 The parameter named “afilter” is used unencoded
 By polluting GSA parameters, appending %23 (“#”), we got full
 access to internal results




                                        OWASP AppSecEU09 Poland
ModSecurity - HPPed !
 ModSecurity SQL Injection filter bypass
 While the following query is properly detected
      /index.aspx?page=select 1,2,3 from table where id=1

 Using HPP, it is possible to bypass the filter
      /index.aspx?page=select 1&page=2,3 from table where id=1


 Other vendors may be affected as well
 This technique could potentially be extended to
 obfuscate attack payloads
 Lavakumar Kuppan is credited for this finding

                                            OWASP AppSecEU09 Poland
HPP Client Side attacks 1/2

 HPP Client Side is about injecting additional
 parameters to links and other src attributes
 Suppose the following code:
<? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?>
<a href=quot;/page.php?action=view&par='.<?=$val?>.'quot;>View Me!</a>


 There's no XSS, but what about HPP?
 It’s just necessary to send a request like
    http:/host/page.php?par=123%26action=edit

 To obtain
 <a href=quot;/page.php?action=view&par=123&amp;action=editquot;>View Me!</a>
                                           OWASP AppSecEU09 Poland
HPP Client Side attacks 2/2

 Once again, it strongly depends on the
 functionalities of a link
 It's more about
    Anti-CSRF
    Functional UI Redressing
 It could be applied on every tag with
    Data, src, href attributes
    Action forms with POST method




                                OWASP AppSecEU09 Poland
HPP Client Side - DOM based

      It's    about       parsing unexpected parameters
      It's    about       the interaction between IDSs and the application
      It's    about       the generation of client side HPP via JavaScript
      It's    about       the use of (XMLHttp)Requests on polluted parameters

// First Occurrence                                            // Last Occurrence
function gup( name )                                           function argToObject () {
{                                                               var sArgs = location.search.slice(1).split('&');
  name = name.replace(/[[]/,quot;[quot;).replace(/[]]/,quot;]quot;);    var argObj={};
  var regexS = quot;[?&]quot;+name+quot;=([^&#]*)quot;;                       for (var i = 0; i < sArgs.length; i++) {
  var regex = new RegExp( regexS );                              var r=sArgs[i].split('=')
  var results = regex.exec( window.location.href );              argObj[r[0]]=r[1]
  if( results == null )                                           }
    return quot;quot;;                                                  return argObj
  else                                                         }
    return results[1];
}



                                                                 OWASP AppSecEU09 Poland
HPP Client Side - FPI, the HPP way

 As mentioned, an interesting case of HPP is the
 Flash Parameter Injection by Ayal Yogev and
 Adi Sharabani @ Watchfire
 FPI is about including FlashVars in the html itself
 when the vulnerable flash is directly dependent
 on the page itself
 A FPI will result in the injection of additional
 parameters in the param tag
 E.g. Piggybacking FlashVars
        http://myFlashApp/index.cgi?language=ENG%26globalVar=<HPP>


                                             OWASP AppSecEU09 Poland
Real World Examples



    Client Side Attacks



                   OWASP AppSecEU09 Poland
Ask.com - HPPed !

 Features:
    Anti XSS using HtmlEntities
    DOM HPP and Client Side
   HPP compliant! ;)




                                  OWASP AppSecEU09 Poland
Excite - HPPed !
       Features:
          Several parameters could be HPPed
          Anti XSS using htmlEntities countermeasures
          DOM HPP + Client Side HPP friendly!



http://search.excite.it/image/
?q=dog&page=1%26%71%
3d%66%75%63%6b%6f%
66%66%20%66%69%6e%
67%65%72%26%69%74%
65%6d%3d%30




                                          OWASP AppSecEU09 Poland
Excite - HPPed !
 Sweet dogs? Click anywhere on an image...




 This is a kind of content pollution
 Even if the example seems harmless, it may help to
 successfully conduct social engineering attacks
                                  OWASP AppSecEU09 Poland   35
MS IE8 XSS Filter Bypass - HPPed !

 IE8 checks for XSS regexp in the query string
 parameters, as well as it searches for them in the
 output
 When there's a .NET application, multiple
 occurrences of a parameter are joined using “,”
 So param=<script&param=src=”....”> becomes
 <script,src=”...”> in HTML
 As you can imagine, it bypasses the IE8 XSS filter
 Alex Kuza is credited for this finding

                              OWASP AppSecEU09 Poland
Yahoo! Mail Classic - HPPed !

 Features
    Check antiCSRF
    Dispatcher View
    Html Entities filtering, antiXSS
    HPP compliant!
 The dispatcher pattern helps the attacker
    %26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete
    %2526cmd=fmgt.emptytrash
    Attack payload: http://it.mc257.mail.yahoo.com/mc/showFolder?
                      fid=Inbox&order=down&tt=245&pSize=25&sta
                      rtMid=0%2526cmd=fmgt.emptytrash%26DEL=
                      1%26DelFID=Inbox%26cmd=fmgt.delete


                                     OWASP AppSecEU09 Poland
Yahoo! Mail Classic - HPPed !

  It’s show time!




  Yahoo! has (silently) patched this issue…
                               OWASP AppSecEU09 Poland
PTK Forensic - HPPed !

   PTK, an alternative Sleuthkit Interface
   PTK is a forensic tool with a web based frontend
   written in PHP, included in the SANS SIFT
   The investigator can mount a DD image and
   then inspect files, using the Web2.0 UI
   Here, HPP is the key to exploit a critical
   vulnerability*
“...Once the investigator selects a specific file from the image filesystem, PTK
invokes the following script:
/ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1
...”

* http://www.ikkisoft.com/stuff/LC-2008-07.txt   OWASP AppSecEU09 Poland
PTK Forensic - HPPed !
Vulnerable
                      $offset = $_GET['arg1'];
                      $inode = $_GET['arg2'];
code:                 $name = $_GET['arg3']; //filename
                      $partition_id = $_GET['arg4'];
                      $page_offset = 100;
                      ...
                      $type = get_file_type($_SESSION['image_path'], $offset, $inode);
                      ...

                      function get_file_type($path, $offset, $inode){
                            include(quot;../config/conf.phpquot;);
                            if($offset == 'null'){
Since filenames are               $offset = '';
                            }else{
contained within                  $offset = quot;-o $offsetquot;;
the DD image, they          }
should be                   if($inode == 'null') $inode = '';
considered as user-         $result = shell_exec(quot;$icat_bin -r $offset $path $inode | $file_bin
                      -zb -quot;);
supplied values             if(preg_match(quot;/(image data)|(PC bitmap data)/quot;, $result)){
                                  $_SESSION['is_graphic'] = 1;
                            }     return $result;}      OWASP AppSecEU09 Poland
PTK Forensic - HPPed !

    Crafting a filename as
    Confidential.doc&arg1=;EvilShell;...
    It is actually possible to tamper the link, leading to code
    execution since PHP considers the last occurrence
.../file_content.php?arg1=null&arg2=107533&arg3=Confidentia
    l.doc&arg1=;EvilShell;...&arg4=1
  Demonstration video of the attack: http://www.vimeo.com/2161045




As a result…          …Stored HPP!
                                       OWASP AppSecEU09 Poland
PHPIDS - HPPed !


 PHPIDS is a state-of-the-art security layer for
 PHP web applications
 When dealing with DOM based HPP, PHPIDS
 could be fooled
 If the DOM based location parsing gets the first
 occurrence, then PHPIDS will consider only PHP
 behavior
 It means the last occurrence, thus no alert and
 XSS attacks still possible!
                              OWASP AppSecEU09 Poland
Countermeasures
 Speaking about HPP, several elements should be
 considered:
    Application business logic
    Technology used
    Context
    Data validation (as usual!)
    Output encoding
 Filtering is the key to defend our systems!
 Don't use HtmlEntities. They're out of context!
 Instead, apply URL Encoding
 Use strict regexp in URL Rewriting
 Know your application environment!

                                    OWASP AppSecEU09 Poland
Conclusion
 HPP is a quite simple but effective hacking technique
 HPP affects server side as well client side components
 The impact could vary depending on the affected
 functionality

 We are going to release a whitepaper about these and
 other issues, including all technical details. Stay tuned!
 HPP requires further researches in order to deeply
 understand threats and risks. Several applications are
 likely vulnerable to HPP

 Standard and guidelines on multiple occurrences of a
 parameter in the QueryString should be defined
 Awareness for application developers is crucial

                                     OWASP AppSecEU09 Poland
Q&A

 Time is over! Thanks!


 If you have further inquiries, please contact us:
     luca.carettoni@ikkisoft.com
     stefano.dipaola@mindedsecurity.com




                                       OWASP AppSecEU09 Poland
1 of 45

Recommended

libinjection: a C library for SQLi detection, from Black Hat USA 2012 by
libinjection: a C library for SQLi detection, from Black Hat USA 2012libinjection: a C library for SQLi detection, from Black Hat USA 2012
libinjection: a C library for SQLi detection, from Black Hat USA 2012Nick Galbreath
2.8K views40 slides
libinjection: from SQLi to XSS  by Nick Galbreath by
libinjection: from SQLi to XSS  by Nick Galbreathlibinjection: from SQLi to XSS  by Nick Galbreath
libinjection: from SQLi to XSS  by Nick GalbreathCODE BLUE
6.8K views38 slides
Building Advanced XSS Vectors by
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
7.8K views61 slides
HTTP HOST header attacks by
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
19.2K views29 slides
XXE injection - Nguyễn Tăng Hưng by
XXE injection - Nguyễn Tăng HưngXXE injection - Nguyễn Tăng Hưng
XXE injection - Nguyễn Tăng HưngVõ Thái Lâm
4K views29 slides
Ssrf by
SsrfSsrf
SsrfIlan Mindel
522 views4 slides

More Related Content

What's hot

OWASP API Security Top 10 Examples by
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
1.4K views26 slides
Design Beautiful REST + JSON APIs by
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsStormpath
226K views85 slides
SFDC Batch Apex by
SFDC Batch ApexSFDC Batch Apex
SFDC Batch ApexSujit Kumar
67 views19 slides
Introduction to path traversal attack by
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
1.3K views14 slides
OWASP A4 XML External Entities (XXE) by
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)Michael Furman
1.7K views24 slides
Log4j in 8 slides by
Log4j in 8 slidesLog4j in 8 slides
Log4j in 8 slidesTarin Gamberini
3.6K views9 slides

What's hot(20)

OWASP API Security Top 10 Examples by 42Crunch
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch1.4K views
Design Beautiful REST + JSON APIs by Stormpath
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath226K views
Introduction to path traversal attack by Prashant Hegde
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attack
Prashant Hegde1.3K views
OWASP A4 XML External Entities (XXE) by Michael Furman
OWASP A4 XML External Entities (XXE)OWASP A4 XML External Entities (XXE)
OWASP A4 XML External Entities (XXE)
Michael Furman1.7K views
Two scoops of Django - Security Best Practices by Spin Lai
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
Spin Lai5.9K views
Attacking thru HTTP Host header by Sergey Belov
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov1.8K views
The World of PHP PSR Standards by Radu Murzea
The World of PHP PSR StandardsThe World of PHP PSR Standards
The World of PHP PSR Standards
Radu Murzea488 views
Clean Code II - Dependency Injection by Theo Jungeblut
Clean Code II - Dependency InjectionClean Code II - Dependency Injection
Clean Code II - Dependency Injection
Theo Jungeblut8K views
API Security Best Practices and Guidelines by WSO2
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2556 views
Sql injection with sqlmap by Herman Duarte
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
Herman Duarte56.2K views
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015 by CODE BLUE
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE6.5K views
Secure coding presentation Oct 3 2020 by Moataz Kamel
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel369 views
Mikrotik Bridge Deep Dive by GLC Networks
Mikrotik Bridge Deep DiveMikrotik Bridge Deep Dive
Mikrotik Bridge Deep Dive
GLC Networks200 views
ASP.NET Core MVC + Web API with Overview by Shahed Chowdhuri
ASP.NET Core MVC + Web API with OverviewASP.NET Core MVC + Web API with Overview
ASP.NET Core MVC + Web API with Overview
Shahed Chowdhuri4.6K views
GROWI Users Meetup #2 by WESEEKWESEEK
GROWI Users Meetup #2GROWI Users Meetup #2
GROWI Users Meetup #2
WESEEKWESEEK265 views

Viewers also liked

HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011) by
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
11.5K views57 slides
Ecology by
EcologyEcology
Ecologylenok1969
1.3K views16 slides
Tackling Air Pollution at Scale_ Bengaluru by
Tackling Air Pollution at Scale_  BengaluruTackling Air Pollution at Scale_  Bengaluru
Tackling Air Pollution at Scale_ BengaluruSensing Local
668 views27 slides
The Threat of Air pollution by
The Threat of Air pollutionThe Threat of Air pollution
The Threat of Air pollutionRaj Rajaram
1.4K views18 slides
Web Crawling- Scraping Ajax Sites by
Web Crawling- Scraping Ajax SitesWeb Crawling- Scraping Ajax Sites
Web Crawling- Scraping Ajax SitesPromptCloud
2.8K views10 slides
When RSS Fails: Web Scraping with HTTP by
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTPMatthew Turland
8.2K views46 slides

Viewers also liked(20)

HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011) by Marco Balduzzi
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi11.5K views
Ecology by lenok1969
EcologyEcology
Ecology
lenok19691.3K views
Tackling Air Pollution at Scale_ Bengaluru by Sensing Local
Tackling Air Pollution at Scale_  BengaluruTackling Air Pollution at Scale_  Bengaluru
Tackling Air Pollution at Scale_ Bengaluru
Sensing Local668 views
The Threat of Air pollution by Raj Rajaram
The Threat of Air pollutionThe Threat of Air pollution
The Threat of Air pollution
Raj Rajaram1.4K views
Web Crawling- Scraping Ajax Sites by PromptCloud
Web Crawling- Scraping Ajax SitesWeb Crawling- Scraping Ajax Sites
Web Crawling- Scraping Ajax Sites
PromptCloud2.8K views
When RSS Fails: Web Scraping with HTTP by Matthew Turland
When RSS Fails: Web Scraping with HTTPWhen RSS Fails: Web Scraping with HTTP
When RSS Fails: Web Scraping with HTTP
Matthew Turland8.2K views
Cloud computing security policy framework for mitigating denial of service at... by Venkatesh Prabhu
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
Venkatesh Prabhu987 views
TUGAS PTI MOTHERBOARD DAN MODEM by ika aprilia
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
ika aprilia552 views
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl... by Marco Balduzzi
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
Marco Balduzzi1.4K views
A New Form of Dos attack in Cloud by Sanoj Kumar
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
Sanoj Kumar444 views
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations by Marco Balduzzi
 HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
Marco Balduzzi2.6K views
Cybercrime in the Deep Web (BHEU 2015) by Marco Balduzzi
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
Marco Balduzzi983 views
600.412.Lecture02 by ragibhasan
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
ragibhasan518 views
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября by Асылбек Айтматов
ОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октябряОО" Шоола Кол" презентация  Результаты поиска Санкт-Петербург  14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
Cctk support for setting hdd password by artisriva
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
artisriva4.7K views
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed by Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed571 views

Similar to Http Parameter Pollution, a new category of web attacks

AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P... by
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and  Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and  Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
950 views45 slides
Application Note APLX-LMW-0403: Interfacing the Apache Web ... by
Application Note APLX-LMW-0403: Interfacing the Apache Web ...Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...webhostingguy
1.3K views13 slides
OWASP_Top_Ten_Proactive_Controls_v2.pptx by
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
7 views92 slides
The better PHP API (EN) by
The better PHP API (EN)The better PHP API (EN)
The better PHP API (EN)boen_robot
2.7K views20 slides
HTTP Parameter Pollution (HPP) - SEaCURE.it edition by
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionLuca Carettoni
45.1K views51 slides
Intro to web services by
Intro to web servicesIntro to web services
Intro to web servicesNeil Ghosh
4.5K views43 slides

Similar to Http Parameter Pollution, a new category of web attacks(20)

AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P... by Magno Logan
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and  Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and  Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
Magno Logan950 views
Application Note APLX-LMW-0403: Interfacing the Apache Web ... by webhostingguy
Application Note APLX-LMW-0403: Interfacing the Apache Web ...Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
webhostingguy1.3K views
OWASP_Top_Ten_Proactive_Controls_v2.pptx by azida3
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida37 views
The better PHP API (EN) by boen_robot
The better PHP API (EN)The better PHP API (EN)
The better PHP API (EN)
boen_robot2.7K views
HTTP Parameter Pollution (HPP) - SEaCURE.it edition by Luca Carettoni
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
Luca Carettoni45.1K views
Intro to web services by Neil Ghosh
Intro to web servicesIntro to web services
Intro to web services
Neil Ghosh4.5K views
Web application penetration testing lab setup guide by Sudhanshu Chauhan
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan1.2K views
Ajp notes-chapter-06 by Ankit Dubey
Ajp notes-chapter-06Ajp notes-chapter-06
Ajp notes-chapter-06
Ankit Dubey76 views
OWASP Portland - OWASP Top 10 For JavaScript Developers by Lewis Ardern
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern1.1K views
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases by Positive Hack Days
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days2.6K views
Drupal and Varnish Reverse Proxy by VFXCode
Drupal and Varnish Reverse ProxyDrupal and Varnish Reverse Proxy
Drupal and Varnish Reverse Proxy
VFXCode3.3K views
An Introduction to Websphere sMash for PHP Programmers by jphl
An Introduction to Websphere sMash for PHP ProgrammersAn Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP Programmers
jphl8.4K views
Oracle REST Data Services Best Practices/ Overview by Kris Rice
Oracle REST Data Services Best Practices/ OverviewOracle REST Data Services Best Practices/ Overview
Oracle REST Data Services Best Practices/ Overview
Kris Rice16.4K views
Pywps a tutorial for beginners and developers by Jorge Mendes
Pywps a tutorial for beginners and developersPywps a tutorial for beginners and developers
Pywps a tutorial for beginners and developers
Jorge Mendes8.7K views
Apache Storm and Oracle Event Processing for Real-time Analytics by Prabhu Thukkaram
Apache Storm and Oracle Event Processing for Real-time AnalyticsApache Storm and Oracle Event Processing for Real-time Analytics
Apache Storm and Oracle Event Processing for Real-time Analytics
Prabhu Thukkaram2.8K views

Recently uploaded

Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... by
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...ShapeBlue
88 views13 slides
Kyo - Functional Scala 2023.pdf by
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
449 views92 slides
NTGapps NTG LowCode Platform by
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform Mustafa Kuğu
365 views30 slides
State of the Union - Rohit Yadav - Apache CloudStack by
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStackShapeBlue
253 views53 slides
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...ShapeBlue
98 views29 slides
CryptoBotsAI by
CryptoBotsAICryptoBotsAI
CryptoBotsAIchandureddyvadala199
40 views5 slides

Recently uploaded(20)

Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... by ShapeBlue
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
ShapeBlue88 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu365 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue253 views
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti... by ShapeBlue
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
ShapeBlue98 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue144 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...Webinar : Desperately Seeking Transformation - Part 2:  Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue79 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue140 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue117 views
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ... by ShapeBlue
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
Live Demo Showcase: Unveiling Dell PowerFlex’s IaaS Capabilities with Apache ...
ShapeBlue85 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue166 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue103 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue163 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue112 views
Digital Personal Data Protection (DPDP) Practical Approach For CISOs by Priyanka Aash
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash153 views
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f... by TrustArc
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc160 views
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ... by ShapeBlue
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
Backroll, News and Demo - Pierre Charton, Matthias Dhellin, Ousmane Diarra - ...
ShapeBlue146 views

Http Parameter Pollution, a new category of web attacks

  • 1. HTTP Parameter Pollution Luca Carettoni Independent Researcher luca.carettoni@ikkisoft.com Stefano di Paola OWASP CTO @ Minded Security stefano.dipaola@mindedsecurity.com EU09 Poland Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASPAppSecEU09 Poland OWASP Foundation http://www.owasp.org
  • 2. About us Luca “ikki” Carettoni Penetration Testing Specialist in a worldwide financial institution Security researcher for fun (and profit) OWASP Italy contributor I blog @ http://blog.nibblesec.org Keywords: web application security, ethical hacking, Java security Stefano “wisec” Di Paola CTO @ Minded Security Application Security Consulting Director of Research @ Minded Security Labs Lead of WAPT & Code Review Activities OWASP Italy R&D Director Sec Research (Flash Security, SWFIntruder...) WebLogs http://www.wisec.it, http://blog.mindedsecurity.com OWASP AppSecEU09 Poland 2
  • 3. Agenda Introduction Server enumeration HPP in a nutshell HPP Categories Server side attacks Concept Real world examples Client side attacks Concept Real world examples OWASP AppSecEU09 Poland
  • 4. Fact In modern web apps, several application layers are involved OWASP AppSecEU09 Poland
  • 5. Consequence Different input validation vulnerabilities exist SQL Injection LDAP Injection XML Injection XPath Injection Command Injection All input validation flaws are caused by unsanitized data flows between the front-end and the several back-ends of a web application Anyway, we still miss something here !?! _ _ _ Injection OWASP AppSecEU09 Poland
  • 6. An unbelievable story… There is no formal definition of an injection triggered by query string delimiters As far as we know, no one has never formalized an injection based attack against delimiters of the most used protocol on the web: HTTP HPP is surely around since many years, however it is definitely underestimated As a result, several vulnerabilities have been discovered in real-world applications OWASP AppSecEU09 Poland
  • 7. Introduction 1/2 The term Query String is commonly used to refer to the part between the “?” and the end of the URI As defined in the RFC 3986, it is a series of field- value pairs Pairs are separated by “&” or “;” The usage of semicolon is a W3C recommendation in order to avoid escaping RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( ) Reserved: ; / ? : @ & = + $ , OWASP AppSecEU09 Poland
  • 8. Introduction 2/2 GET and POST HTTP request GET /foo?par1=val1&par2=val2 HTTP/1.1 POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 User-Agent: Mozilla/5.0 Host: Host Host: Host Accept: */* Accept: */* Content-Length: 19 par1=val1&par2=val2c Query String meta characters are &, ?, #, ; , = and equivalent (e.g. using encoding) In case of multiple parameters with the same name, HTTP back-ends behave in several ways OWASP AppSecEU09 Poland
  • 9. Server enumeration - List OWASP AppSecEU09 Poland
  • 10. Server enumeration - Summing up Different web servers manage multiple occurrences in several ways Some behaviors are quite bizarre Whenever protocol details are not strongly defined, implementations may strongly differ Unusual behaviors are a usual source of security weaknesses (MANTRA!) OWASP AppSecEU09 Poland
  • 11. Additional considerations 1/2 As mentioned, ASP and ASP.NET concatenate the values with a comma in between This applies to the Query String and form parameters in ASP and ASP.NET Request.QueryString Request.Form Cookies have similar property in ASP.NET Request.Params[“par”] POST /index.aspx?par=1&par=2 HTTP/1.1 par = 1,2,3,4,5,6 User-Agent: Mozilla/5.0 Host: Host Cookie: par=5; par=6 Content-Length: 19 par=3&par=4 OWASP AppSecEU09 Poland
  • 12. Additional considerations 2/2 Unfortunately, application behaviors in case of multiple occurrences may differ as well This is strongly connected with the specific API used by our code In Java, for example: javax.servlet.ServletRequest Interface (Query String direct parsing) java.lang.String getParameter(java.lang.String name) Returns the value of a request parameter as a String, or null if the parameter does not exist java.lang.String[] getParameterValues(java.lang.String name) Returns an array of String objects containing all of the values the given request parameter has, or null if the parameter does not exist As a result, the applications may react in unexpected ways…as you will see! OWASP AppSecEU09 Poland
  • 13. A bizarre behavior 1/4 - HPPed ! OWASP AppSecEU09 Poland
  • 14. A bizarre behavior 2/4 - HPPed ! OWASP AppSecEU09 Poland
  • 15. A bizarre behavior 3/4 - HPPed ! OWASP AppSecEU09 Poland
  • 16. A bizarre behavior 4/4 - HPPed ! Since this error generates ~100 lines in the log file, it may be used to obfuscate other attacks OWASP AppSecEU09 Poland
  • 17. HPP in a nutshell HTTP Parameter Pollution (HPP) is a quite simple but effective hacking technique HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters It affects a building block of all web technologies thus server-side and client-side attacks exist Exploiting HPP vulnerabilities, it may be possible to: Override existing hardcoded HTTP parameters Modify the application behaviors Access and, potentially exploit, uncontrollable variables Bypass input validation checkpoints and WAFs rules OWASP AppSecEU09 Poland
  • 18. HPP Categories We are not keen on inventing yet another buzzword. However, the standard vulnerability nomenclature seems lacking this concept Classification: Client-side 1. First order HPP or Reflected HPP 2. Second order HPP or Stored HPP 3. Third order HPP or DOM Based HPP Server-side 1. Standard HPP 2. Second order HPP According to our classification, Flash Parameter Injection* may be considered as a particular subcategory of the HPP client-side attack * http://blog.watchfire.com/FPI.ppt OWASP AppSecEU09 Poland
  • 19. Encoding & GET/POST/Cookie precedence Several well-known encoding techniques may be used to inject malicious payloads The precedence of GET/POST/Cookie may Apache Tomcat/6.0.18 influence the application POST /foo?par1=val1&par1=val2 HTTP/1.1 Host: 127.0.0.1 behaviors and it can also be used to override par1=val3&par1=val4 parameters FIRST occurrence, GET parameter first OWASP AppSecEU09 Poland
  • 20. HPP Server Side Attacks 1/2 Suppose some code as the following: void private executeBackendRequest(HTTPRequest request){ String amount=request.getParameter(quot;amountquot;); String beneficiary=request.getParameter(quot;recipientquot;); HttpRequest(quot;http://backendServer.com/servlet/actionsquot;,quot;POSTquot;, quot;action=transfer&amount=quot;+amount+quot;&recipient=quot;+beneficiary); } Which is the attack surface? OWASP AppSecEU09 Poland
  • 21. HPP Server Side Attacks 2/2 A malicious user may send a request like: http://frontendHost.com/page?amount=1000&recipient=Mat%26action% 3dwithdraw Then, the frontend will build the following back-end request: HttpRequest(quot;http://backendServer.com/servlet/actionsquot;,quot;POSTquot;, quot;action=transfer&amount=quot;+amount+quot;&recipient=quot;+beneficiary); action=transfer&amount=1000&recipient=Mat&action=withdraw Obviously depends on how the application will manage the occurrence OWASP AppSecEU09 Poland
  • 22. HPP Server Side - WebApp Firewalls What would happen with WAFs that do Query String parsing before applying filters? HPP can be used even to bypass WAFs ☺ Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one) Whenever the devel environment concatenates multiple occurrences (e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …), an aggressor can split the malicious payload. http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2> par=<Payload_1>~~<Payload_2> OWASP AppSecEU09 Poland
  • 23. HPP Server Side – URL Rewriting URL Rewriting could be affected as well if regexp are too permissive: RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} .+page.php.* HTTP/ RewriteRule ^page.php.*$ - [F,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^/]+)$ page.php?action=view&page=$1&id=0 [L] http://host/abc becomes: http://host/page.php?action=view&page=abc&id=0 OWASP AppSecEU09 Poland
  • 24. HPP Server Side – URL Rewriting issues An attacker may try to inject: http://host/abc%26action%3dedit and the url will be rewritten as: http://host/page.php?action=view&page=abc&action=edit&id=0 Obviously, the impact depends on the functionality exposed OWASP AppSecEU09 Poland 24
  • 25. Real World Examples Server Side Attacks OWASP AppSecEU09 Poland
  • 26. Google Search Appliance - HPPed ! Once upon a time, during an assessment for XXX… GSA was the LAN search engine exposed for public search as well, with only three controllable values The parameter named “afilter” is used unencoded By polluting GSA parameters, appending %23 (“#”), we got full access to internal results OWASP AppSecEU09 Poland
  • 27. ModSecurity - HPPed ! ModSecurity SQL Injection filter bypass While the following query is properly detected /index.aspx?page=select 1,2,3 from table where id=1 Using HPP, it is possible to bypass the filter /index.aspx?page=select 1&page=2,3 from table where id=1 Other vendors may be affected as well This technique could potentially be extended to obfuscate attack payloads Lavakumar Kuppan is credited for this finding OWASP AppSecEU09 Poland
  • 28. HPP Client Side attacks 1/2 HPP Client Side is about injecting additional parameters to links and other src attributes Suppose the following code: <? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?> <a href=quot;/page.php?action=view&par='.<?=$val?>.'quot;>View Me!</a> There's no XSS, but what about HPP? It’s just necessary to send a request like http:/host/page.php?par=123%26action=edit To obtain <a href=quot;/page.php?action=view&par=123&amp;action=editquot;>View Me!</a> OWASP AppSecEU09 Poland
  • 29. HPP Client Side attacks 2/2 Once again, it strongly depends on the functionalities of a link It's more about Anti-CSRF Functional UI Redressing It could be applied on every tag with Data, src, href attributes Action forms with POST method OWASP AppSecEU09 Poland
  • 30. HPP Client Side - DOM based It's about parsing unexpected parameters It's about the interaction between IDSs and the application It's about the generation of client side HPP via JavaScript It's about the use of (XMLHttp)Requests on polluted parameters // First Occurrence // Last Occurrence function gup( name ) function argToObject () { { var sArgs = location.search.slice(1).split('&'); name = name.replace(/[[]/,quot;[quot;).replace(/[]]/,quot;]quot;); var argObj={}; var regexS = quot;[?&]quot;+name+quot;=([^&#]*)quot;; for (var i = 0; i < sArgs.length; i++) { var regex = new RegExp( regexS ); var r=sArgs[i].split('=') var results = regex.exec( window.location.href ); argObj[r[0]]=r[1] if( results == null ) } return quot;quot;; return argObj else } return results[1]; } OWASP AppSecEU09 Poland
  • 31. HPP Client Side - FPI, the HPP way As mentioned, an interesting case of HPP is the Flash Parameter Injection by Ayal Yogev and Adi Sharabani @ Watchfire FPI is about including FlashVars in the html itself when the vulnerable flash is directly dependent on the page itself A FPI will result in the injection of additional parameters in the param tag E.g. Piggybacking FlashVars http://myFlashApp/index.cgi?language=ENG%26globalVar=<HPP> OWASP AppSecEU09 Poland
  • 32. Real World Examples Client Side Attacks OWASP AppSecEU09 Poland
  • 33. Ask.com - HPPed ! Features: Anti XSS using HtmlEntities DOM HPP and Client Side HPP compliant! ;) OWASP AppSecEU09 Poland
  • 34. Excite - HPPed ! Features: Several parameters could be HPPed Anti XSS using htmlEntities countermeasures DOM HPP + Client Side HPP friendly! http://search.excite.it/image/ ?q=dog&page=1%26%71% 3d%66%75%63%6b%6f% 66%66%20%66%69%6e% 67%65%72%26%69%74% 65%6d%3d%30 OWASP AppSecEU09 Poland
  • 35. Excite - HPPed ! Sweet dogs? Click anywhere on an image... This is a kind of content pollution Even if the example seems harmless, it may help to successfully conduct social engineering attacks OWASP AppSecEU09 Poland 35
  • 36. MS IE8 XSS Filter Bypass - HPPed ! IE8 checks for XSS regexp in the query string parameters, as well as it searches for them in the output When there's a .NET application, multiple occurrences of a parameter are joined using “,” So param=<script&param=src=”....”> becomes <script,src=”...”> in HTML As you can imagine, it bypasses the IE8 XSS filter Alex Kuza is credited for this finding OWASP AppSecEU09 Poland
  • 37. Yahoo! Mail Classic - HPPed ! Features Check antiCSRF Dispatcher View Html Entities filtering, antiXSS HPP compliant! The dispatcher pattern helps the attacker %26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete %2526cmd=fmgt.emptytrash Attack payload: http://it.mc257.mail.yahoo.com/mc/showFolder? fid=Inbox&order=down&tt=245&pSize=25&sta rtMid=0%2526cmd=fmgt.emptytrash%26DEL= 1%26DelFID=Inbox%26cmd=fmgt.delete OWASP AppSecEU09 Poland
  • 38. Yahoo! Mail Classic - HPPed ! It’s show time! Yahoo! has (silently) patched this issue… OWASP AppSecEU09 Poland
  • 39. PTK Forensic - HPPed ! PTK, an alternative Sleuthkit Interface PTK is a forensic tool with a web based frontend written in PHP, included in the SANS SIFT The investigator can mount a DD image and then inspect files, using the Web2.0 UI Here, HPP is the key to exploit a critical vulnerability* “...Once the investigator selects a specific file from the image filesystem, PTK invokes the following script: /ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1 ...” * http://www.ikkisoft.com/stuff/LC-2008-07.txt OWASP AppSecEU09 Poland
  • 40. PTK Forensic - HPPed ! Vulnerable $offset = $_GET['arg1']; $inode = $_GET['arg2']; code: $name = $_GET['arg3']; //filename $partition_id = $_GET['arg4']; $page_offset = 100; ... $type = get_file_type($_SESSION['image_path'], $offset, $inode); ... function get_file_type($path, $offset, $inode){ include(quot;../config/conf.phpquot;); if($offset == 'null'){ Since filenames are $offset = ''; }else{ contained within $offset = quot;-o $offsetquot;; the DD image, they } should be if($inode == 'null') $inode = ''; considered as user- $result = shell_exec(quot;$icat_bin -r $offset $path $inode | $file_bin -zb -quot;); supplied values if(preg_match(quot;/(image data)|(PC bitmap data)/quot;, $result)){ $_SESSION['is_graphic'] = 1; } return $result;} OWASP AppSecEU09 Poland
  • 41. PTK Forensic - HPPed ! Crafting a filename as Confidential.doc&arg1=;EvilShell;... It is actually possible to tamper the link, leading to code execution since PHP considers the last occurrence .../file_content.php?arg1=null&arg2=107533&arg3=Confidentia l.doc&arg1=;EvilShell;...&arg4=1 Demonstration video of the attack: http://www.vimeo.com/2161045 As a result… …Stored HPP! OWASP AppSecEU09 Poland
  • 42. PHPIDS - HPPed ! PHPIDS is a state-of-the-art security layer for PHP web applications When dealing with DOM based HPP, PHPIDS could be fooled If the DOM based location parsing gets the first occurrence, then PHPIDS will consider only PHP behavior It means the last occurrence, thus no alert and XSS attacks still possible! OWASP AppSecEU09 Poland
  • 43. Countermeasures Speaking about HPP, several elements should be considered: Application business logic Technology used Context Data validation (as usual!) Output encoding Filtering is the key to defend our systems! Don't use HtmlEntities. They're out of context! Instead, apply URL Encoding Use strict regexp in URL Rewriting Know your application environment! OWASP AppSecEU09 Poland
  • 44. Conclusion HPP is a quite simple but effective hacking technique HPP affects server side as well client side components The impact could vary depending on the affected functionality We are going to release a whitepaper about these and other issues, including all technical details. Stay tuned! HPP requires further researches in order to deeply understand threats and risks. Several applications are likely vulnerable to HPP Standard and guidelines on multiple occurrences of a parameter in the QueryString should be defined Awareness for application developers is crucial OWASP AppSecEU09 Poland
  • 45. Q&A Time is over! Thanks! If you have further inquiries, please contact us: luca.carettoni@ikkisoft.com stefano.dipaola@mindedsecurity.com OWASP AppSecEU09 Poland