SlideShare a Scribd company logo

AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di Paola

Magno Logan
Magno Logan

This document discusses HTTP Parameter Pollution (HPP), a technique for overriding or adding HTTP parameters by injecting query string delimiters. It can enable server-side attacks by modifying backend requests or bypassing web application firewalls. On the client-side, HPP can inject additional parameters into links and tags to enable attacks like anti-CSRF, UI redressing, or modifying POST requests. Real-world examples show HPP bypassing filters and accessing internal search results. The document categorizes HPP attacks and argues it is an underestimated issue affecting all web technologies.

Technology
1 of 45
Download to read offline
OWASP AppSecEU09 Poland Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland http://www.owasp.org HTTP Parameter Pollution Luca Carettoni Independent Researcher luca.carettoni@ikkisoft.com Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
OWASP AppSecEU09 Poland 2 About us Luca “ikki” Carettoni Penetration Testing Specialist in a worldwide financial institution Security researcher for fun (and profit) OWASP Italy contributor I blog @ http://blog.nibblesec.org Keywords: web application security, ethical hacking, Java security Stefano “wisec” Di Paola CTO @ Minded Security Application Security Consulting Director of Research @ Minded Security Labs Lead of WAPT & Code Review Activities OWASP Italy R&D Director Sec Research (Flash Security, SWFIntruder...) WebLogs http://www.wisec.it, http://blog.mindedsecurity.com
OWASP AppSecEU09 Poland Agenda Introduction Server enumeration HPP in a nutshell HPP Categories Server side attacks Concept Real world examples Client side attacks Concept Real world examples
OWASP AppSecEU09 Poland Fact In modern web apps, several application layers are involved
OWASP AppSecEU09 Poland Consequence Different input validation vulnerabilities exist SQL Injection LDAP Injection XML Injection XPath Injection Command Injection All input validation flaws are caused by unsanitized data flows between the front-end and the several back-ends of a web application Anyway, we still miss something here !?! _ _ _ Injection
OWASP AppSecEU09 Poland An unbelievable story… There is no formal definition of an injection triggered by query string delimiters As far as we know, no one has never formalized an injection based attack against delimiters of the most used protocol on the web: HTTP HPP is surely around since many years, however it is definitely underestimated As a result, several vulnerabilities have been discovered in real-world applications
OWASP AppSecEU09 Poland Introduction 1/2 The term Query String is commonly used to refer to the part between the “?” and the end of the URI As defined in the RFC 3986, it is a series of field- value pairs Pairs are separated by “&” or “;” The usage of semicolon is a W3C recommendation in order to avoid escaping RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( ) Reserved: ; / ? : @ & = + $ ,
OWASP AppSecEU09 Poland Introduction 2/2 GET and POST HTTP request Query String meta characters are &, ?, #, ; , = and equivalent (e.g. using encoding) In case of multiple parameters with the same name, HTTP back-ends behave in several ways GET /foo?par1=val1&par2=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* Content-Length: 19 par1=val1&par2=val2c
OWASP AppSecEU09 Poland Server enumeration - List
OWASP AppSecEU09 Poland Server enumeration - Summing up Different web servers manage multiple occurrences in several ways Some behaviors are quite bizarre Whenever protocol details are not strongly defined, implementations may strongly differ Unusual behaviors are a usual source of security weaknesses (MANTRA!)
OWASP AppSecEU09 Poland Additional considerations 1/2 As mentioned, ASP and ASP.NET concatenate the values with a comma in between This applies to the Query String and form parameters in ASP and ASP.NET Request.QueryString Request.Form Cookies have similar property in ASP.NET Request.Params[“par”] par = 1,2,3,4,5,6 POST /index.aspx?par=1&par=2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Cookie: par=5; par=6 Content-Length: 19 par=3&par=4
OWASP AppSecEU09 Poland Additional considerations 2/2 Unfortunately, application behaviors in case of multiple occurrences may differ as well This is strongly connected with the specific API used by our code In Java, for example: javax.servlet.ServletRequest Interface (Query String direct parsing) java.lang.String getParameter(java.lang.String name) Returns the value of a request parameter as a String, or null if the parameter does not exist java.lang.String[] getParameterValues(java.lang.String name) Returns an array of String objects containing all of the values the given request parameter has, or null if the parameter does not exist As a result, the applications may react in unexpected ways…as you will see!
OWASP AppSecEU09 Poland A bizarre behavior 1/4 - HPPed !
OWASP AppSecEU09 Poland A bizarre behavior 2/4 - HPPed !
OWASP AppSecEU09 Poland A bizarre behavior 3/4 - HPPed !
OWASP AppSecEU09 Poland A bizarre behavior 4/4 - HPPed ! Since this error generates ~100 lines in the log file, it may be used to obfuscate other attacks
OWASP AppSecEU09 Poland HPP in a nutshell HTTP Parameter Pollution (HPP) is a quite simple but effective hacking technique HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters It affects a building block of all web technologies thus server-side and client-side attacks exist Exploiting HPP vulnerabilities, it may be possible to: Override existing hardcoded HTTP parameters Modify the application behaviors Access and, potentially exploit, uncontrollable variables Bypass input validation checkpoints and WAFs rules
OWASP AppSecEU09 Poland HPP Categories We are not keen on inventing yet another buzzword. However, the standard vulnerability nomenclature seems lacking this concept Classification: Client-side 1. First order HPP or Reflected HPP 2. Second order HPP or Stored HPP 3. Third order HPP or DOM Based HPP Server-side 1. Standard HPP 2. Second order HPP According to our classification, Flash Parameter Injection* may be considered as a particular subcategory of the HPP client-side attack * http://blog.watchfire.com/FPI.ppt
OWASP AppSecEU09 Poland Encoding & GET/POST/Cookie precedence Several well-known encoding techniques may be used to inject malicious payloads The precedence of GET/POST/Cookie may influence the application behaviors and it can also be used to override parameters Apache Tomcat/6.0.18 POST /foo?par1=val1&par1=val2 HTTP/1.1 Host: 127.0.0.1 par1=val3&par1=val4 FIRST occurrence, GET parameter first
OWASP AppSecEU09 Poland HPP Server Side Attacks 1/2 Suppose some code as the following: Which is the attack surface? void private executeBackendRequest(HTTPRequest request){ String amount=request.getParameter("amount"); String beneficiary=request.getParameter("recipient"); HttpRequest("http://backendServer.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary); }
OWASP AppSecEU09 Poland HPP Server Side Attacks 2/2 A malicious user may send a request like: Then, the frontend will build the following back-end request: Obviously depends on how the application will manage the occurrence http://frontendHost.com/page?amount=1000&recipient=Mat%26action% 3dwithdraw action=transfer&amount=1000&recipient=Mat&action=withdraw HttpRequest("http://backendServer.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary);
OWASP AppSecEU09 Poland HPP Server Side - WebApp Firewalls What would happen with WAFs that do Query String parsing before applying filters? HPP can be used even to bypass WAFs ☺ Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one) Whenever the devel environment concatenates multiple occurrences (e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …), an aggressor can split the malicious payload. http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2> par=<Payload_1>~~<Payload_2>
OWASP AppSecEU09 Poland HPP Server Side – URL Rewriting URL Rewriting could be affected as well if regexp are too permissive: RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} .+page.php.* HTTP/ RewriteRule ^page.php.*$ - [F,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^/]+)$ page.php?action=view&page=$1&id=0 [L] http://host/abc becomes: http://host/page.php?action=view&page=abc&id=0
OWASP AppSecEU09 Poland HPP Server Side – URL Rewriting issues An attacker may try to inject: http://host/abc%26action%3dedit and the url will be rewritten as: http://host/page.php?action=view&page=abc&action=edit&id=0 Obviously, the impact depends on the functionality exposed 24
OWASP AppSecEU09 Poland Real World Examples Server Side Attacks
OWASP AppSecEU09 Poland Google Search Appliance - HPPed ! Once upon a time, during an assessment for XXX… GSA was the LAN search engine exposed for public search as well, with only three controllable values The parameter named “afilter” is used unencoded By polluting GSA parameters, appending %23 (“#”), we got full access to internal results
OWASP AppSecEU09 Poland ModSecurity - HPPed ! ModSecurity SQL Injection filter bypass While the following query is properly detected Using HPP, it is possible to bypass the filter Other vendors may be affected as well This technique could potentially be extended to obfuscate attack payloads Lavakumar Kuppan is credited for this finding /index.aspx?page=select 1,2,3 from table where id=1 /index.aspx?page=select 1&page=2,3 from table where id=1
OWASP AppSecEU09 Poland HPP Client Side attacks 1/2 HPP Client Side is about injecting additional parameters to links and other src attributes Suppose the following code: There's no XSS, but what about HPP? It’s just necessary to send a request like To obtain <? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?> <a href="/page.php?action=view&par='.<?=$val?>.'">View Me!</a> http:/host/page.php?par=123%26action=edit <a href="/page.php?action=view&par=123&amp;action=edit">View Me!</a>
OWASP AppSecEU09 Poland HPP Client Side attacks 2/2 Once again, it strongly depends on the functionalities of a link It's more about Anti-CSRF Functional UI Redressing It could be applied on every tag with Data, src, href attributes Action forms with POST method
OWASP AppSecEU09 Poland HPP Client Side - DOM based It's about parsing unexpected parameters It's about the interaction between IDSs and the application It's about the generation of client side HPP via JavaScript It's about the use of (XMLHttp)Requests on polluted parameters // First Occurrence function gup( name ) { name = name.replace(/[[]/,"[").replace(/[]]/,"]"); var regexS = "[?&]"+name+"=([^&#]*)"; var regex = new RegExp( regexS ); var results = regex.exec( window.location.href ); if( results == null ) return ""; else return results[1]; } // Last Occurrence function argToObject () { var sArgs = location.search.slice(1).split('&'); var argObj={}; for (var i = 0; i < sArgs.length; i++) { var r=sArgs[i].split('=') argObj[r[0]]=r[1] } return argObj }
OWASP AppSecEU09 Poland HPP Client Side - FPI, the HPP way As mentioned, an interesting case of HPP is the Flash Parameter Injection by Ayal Yogev and Adi Sharabani @ Watchfire FPI is about including FlashVars in the html itself when the vulnerable flash is directly dependent on the page itself A FPI will result in the injection of additional parameters in the param tag E.g. Piggybacking FlashVars http://myFlashApp/index.cgi?language=ENG%26globalVar=<HPP>
OWASP AppSecEU09 Poland Real World Examples Client Side Attacks
OWASP AppSecEU09 Poland Ask.com - HPPed ! Features: Anti XSS using HtmlEntities DOM HPP and Client Side HPP compliant! ;)
OWASP AppSecEU09 Poland Excite - HPPed ! Features: Several parameters could be HPPed Anti XSS using htmlEntities countermeasures DOM HPP + Client Side HPP friendly! http://search.excite.it/image/ ?q=dog&page=1%26%71% 3d%66%75%63%6b%6f% 66%66%20%66%69%6e% 67%65%72%26%69%74% 65%6d%3d%30
OWASP AppSecEU09 Poland Excite - HPPed ! 35 Sweet dogs? Click anywhere on an image... This is a kind of content pollution Even if the example seems harmless, it may help to successfully conduct social engineering attacks
OWASP AppSecEU09 Poland MS IE8 XSS Filter Bypass - HPPed ! IE8 checks for XSS regexp in the query string parameters, as well as it searches for them in the output When there's a .NET application, multiple occurrences of a parameter are joined using “,” So param=<script&param=src=”....”> becomes <script,src=”...”> in HTML As you can imagine, it bypasses the IE8 XSS filter Alex Kuza is credited for this finding
OWASP AppSecEU09 Poland Yahoo! Mail Classic - HPPed ! Features Check antiCSRF Dispatcher View Html Entities filtering, antiXSS HPP compliant! The dispatcher pattern helps the attacker %26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete %2526cmd=fmgt.emptytrash Attack payload: http://it.mc257.mail.yahoo.com/mc/showFolder? fid=Inbox&order=down&tt=245&pSize=25&sta rtMid=0%2526cmd=fmgt.emptytrash%26DEL= 1%26DelFID=Inbox%26cmd=fmgt.delete
OWASP AppSecEU09 Poland Yahoo! Mail Classic - HPPed ! It’s show time! Yahoo! has (silently) patched this issue…
OWASP AppSecEU09 Poland PTK Forensic - HPPed ! PTK, an alternative Sleuthkit Interface PTK is a forensic tool with a web based frontend written in PHP, included in the SANS SIFT The investigator can mount a DD image and then inspect files, using the Web2.0 UI Here, HPP is the key to exploit a critical vulnerability* * http://www.ikkisoft.com/stuff/LC-2008-07.txt “...Once the investigator selects a specific file from the image filesystem, PTK invokes the following script: /ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1 ...”
OWASP AppSecEU09 Poland PTK Forensic - HPPed ! Vulnerable code: Since filenames are contained within the DD image, they should be considered as user- supplied values $offset = $_GET['arg1']; $inode = $_GET['arg2']; $name = $_GET['arg3']; //filename $partition_id = $_GET['arg4']; $page_offset = 100; ... $type = get_file_type($_SESSION['image_path'], $offset, $inode); ... function get_file_type($path, $offset, $inode){ include("../config/conf.php"); if($offset == 'null'){ $offset = ''; }else{ $offset = "-o $offset"; } if($inode == 'null') $inode = ''; $result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin -zb -"); if(preg_match("/(image data)|(PC bitmap data)/", $result)){ $_SESSION['is_graphic'] = 1; } return $result;}
OWASP AppSecEU09 Poland PTK Forensic - HPPed ! Crafting a filename as Confidential.doc&arg1=;EvilShell;... It is actually possible to tamper the link, leading to code execution since PHP considers the last occurrence .../file_content.php?arg1=null&arg2=107533&arg3=Confidentia l.doc&arg1=;EvilShell;...&arg4=1 Demonstration video of the attack: http://www.vimeo.com/2161045 As a result… …Stored HPP!
OWASP AppSecEU09 Poland PHPIDS - HPPed ! PHPIDS is a state-of-the-art security layer for PHP web applications When dealing with DOM based HPP, PHPIDS could be fooled If the DOM based location parsing gets the first occurrence, then PHPIDS will consider only PHP behavior It means the last occurrence, thus no alert and XSS attacks still possible!
OWASP AppSecEU09 Poland Countermeasures Speaking about HPP, several elements should be considered: Application business logic Technology used Context Data validation (as usual!) Output encoding Filtering is the key to defend our systems! Don't use HtmlEntities. They're out of context! Instead, apply URL Encoding Use strict regexp in URL Rewriting Know your application environment!
OWASP AppSecEU09 Poland Conclusion HPP is a quite simple but effective hacking technique HPP affects server side as well client side components The impact could vary depending on the affected functionality We are going to release a whitepaper about these and other issues, including all technical details. Stay tuned! HPP requires further researches in order to deeply understand threats and risks. Several applications are likely vulnerable to HPP Standard and guidelines on multiple occurrences of a parameter in the QueryString should be defined Awareness for application developers is crucial
OWASP AppSecEU09 Poland Q&A Time is over! Thanks! If you have further inquiries, please contact us: luca.carettoni@ikkisoft.com stefano.dipaola@mindedsecurity.com

Recommended

HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
Luca Carettoni
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
manugoel2003
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
 
Red5 - PHUG Workshops
Red5 - PHUG WorkshopsRed5 - PHUG Workshops
Red5 - PHUG Workshops
Brendan Sera-Shriar
 
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Jackson F. de A. Mafra
 
Php manish
Php manishPhp manish
Php manish
Manish Jain
 

Recommended

HTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it editionHTTP Parameter Pollution (HPP) - SEaCURE.it edition
HTTP Parameter Pollution (HPP) - SEaCURE.it edition
Luca Carettoni
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Securing Your Web Server
Securing Your Web ServerSecuring Your Web Server
Securing Your Web Server
manugoel2003
 
Lets exploit Injection and XSS
Lets exploit Injection and XSSLets exploit Injection and XSS
Lets exploit Injection and XSS
lethalduck
 
Red5 - PHUG Workshops
Red5 - PHUG WorkshopsRed5 - PHUG Workshops
Red5 - PHUG Workshops
Brendan Sera-Shriar
 
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015Phalcon 2 High Performance APIs - DevWeekPOA 2015
Phalcon 2 High Performance APIs - DevWeekPOA 2015
Jackson F. de A. Mafra
 
Php manish
Php manishPhp manish
Php manish
Manish Jain
 
Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemy
Alessandro Cucci
 
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
A linux mac os x command line interface
A linux mac os x command line interfaceA linux mac os x command line interface
A linux mac os x command line interface
David Walker
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
Christopher Grant
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
Payampardaz
 
Presentation log4 j
Presentation log4 jPresentation log4 j
Presentation log4 j
Sylvain Bouchard
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran
 
Build restful ap is with python and flask
Build restful ap is with python and flaskBuild restful ap is with python and flask
Build restful ap is with python and flask
Jeetendra singh
 
Flask Basics
Flask BasicsFlask Basics
Flask Basics
Eueung Mulyana
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
guestb0af15
 
Burp documentation
Burp documentationBurp documentation
Burp documentation
penetration Tester
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
Rinaldi Rampen
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF
Mitul Babariya
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Edureka!
 
Phalcon 2 - PHP Brazil Conference
Phalcon 2 - PHP Brazil ConferencePhalcon 2 - PHP Brazil Conference
Phalcon 2 - PHP Brazil Conference
Jackson F. de A. Mafra
 
Integrating tomcat with apache
Integrating tomcat with apacheIntegrating tomcat with apache
Integrating tomcat with apache
govindraj8787
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
AppSec Latam 2011 - Segurança em Sites de Compras Coletivas
AppSec Latam 2011 - Segurança em Sites de Compras ColetivasAppSec Latam 2011 - Segurança em Sites de Compras Coletivas
AppSec Latam 2011 - Segurança em Sites de Compras Coletivas
Magno Logan
 

More Related Content

What's hot

Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemy
Alessandro Cucci
 
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
Nadim Kadiwala
 
A linux mac os x command line interface
A linux mac os x command line interfaceA linux mac os x command line interface
A linux mac os x command line interface
David Walker
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
Christopher Grant
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
Payampardaz
 
Presentation log4 j
Presentation log4 jPresentation log4 j
Presentation log4 j
Sylvain Bouchard
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
Steve Loughran
 
Build restful ap is with python and flask
Build restful ap is with python and flaskBuild restful ap is with python and flask
Build restful ap is with python and flask
Jeetendra singh
 
Flask Basics
Flask BasicsFlask Basics
Flask Basics
Eueung Mulyana
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
guestb0af15
 
Burp documentation
Burp documentationBurp documentation
Burp documentation
penetration Tester
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
Payampardaz
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
Rinaldi Rampen
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF
Mitul Babariya
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Edureka!
 
Phalcon 2 - PHP Brazil Conference
Phalcon 2 - PHP Brazil ConferencePhalcon 2 - PHP Brazil Conference
Phalcon 2 - PHP Brazil Conference
Jackson F. de A. Mafra
 
Integrating tomcat with apache
Integrating tomcat with apacheIntegrating tomcat with apache
Integrating tomcat with apache
govindraj8787
 

What's hot (20)

Rest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemyRest API using Flask & SqlAlchemy
Rest API using Flask & SqlAlchemy
 
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult Cases
 
Dive in burpsuite
Dive in burpsuiteDive in burpsuite
Dive in burpsuite
 
A linux mac os x command line interface
A linux mac os x command line interfaceA linux mac os x command line interface
A linux mac os x command line interface
 
Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)Flex Remoting and Messaging (2010)
Flex Remoting and Messaging (2010)
 
Brief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vectorBrief introduction into Padding Oracle attack vector
Brief introduction into Padding Oracle attack vector
 
Presentation log4 j
Presentation log4 jPresentation log4 j
Presentation log4 j
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
 
Build restful ap is with python and flask
Build restful ap is with python and flaskBuild restful ap is with python and flask
Build restful ap is with python and flask
 
Flask Basics
Flask BasicsFlask Basics
Flask Basics
 
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash AppsOwasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Apps
 
Burp documentation
Burp documentationBurp documentation
Burp documentation
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF Cross Site Request Forgery- CSRF
Cross Site Request Forgery- CSRF
 
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...
 
Phalcon 2 - PHP Brazil Conference
Phalcon 2 - PHP Brazil ConferencePhalcon 2 - PHP Brazil Conference
Phalcon 2 - PHP Brazil Conference
 
Integrating tomcat with apache
Integrating tomcat with apacheIntegrating tomcat with apache
Integrating tomcat with apache
 

Viewers also liked

AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
AppSec Latam 2011 - Segurança em Sites de Compras Coletivas
AppSec Latam 2011 - Segurança em Sites de Compras ColetivasAppSec Latam 2011 - Segurança em Sites de Compras Coletivas
AppSec Latam 2011 - Segurança em Sites de Compras Coletivas
Magno Logan
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
Magno Logan
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
Magno Logan
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
Magno Logan
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Magno Logan
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
Magno Logan
 

Viewers also liked (7)

AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsAppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
 
AppSec Latam 2011 - Segurança em Sites de Compras Coletivas
AppSec Latam 2011 - Segurança em Sites de Compras ColetivasAppSec Latam 2011 - Segurança em Sites de Compras Coletivas
AppSec Latam 2011 - Segurança em Sites de Compras Coletivas
 
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
 
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEEAppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
 
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da InformaçãoKatana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguroGTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
 

Similar to AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di Paola

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
IMMUNIO
 
CSG 2012
CSG 2012CSG 2012
CSG 2012
Scotty Logan
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07
Frédéric Harper
 
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
webhostingguy
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with Python
Andrii Soldatenko
 
Apache Eagle: Architecture Evolvement and New Features
Apache Eagle: Architecture Evolvement and New FeaturesApache Eagle: Architecture Evolvement and New Features
Apache Eagle: Architecture Evolvement and New Features
Hao Chen
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
azida3
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
ssuser18349f1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
johnpragasam1
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web services
Neil Ghosh
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
Patrick Savalle
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swift
Tim Burks
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
Aaron Hnatiw
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
cgt38842
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
nmk42194
 
An Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP ProgrammersAn Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP Programmers
jphl
 

Similar to AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di Paola (20)

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 
PyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application securePyCon Canada 2015 - Is your python application secure
PyCon Canada 2015 - Is your python application secure
 
CSG 2012
CSG 2012CSG 2012
CSG 2012
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07
 
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...Application Note APLX-LMW-0403: Interfacing the Apache Web ...
Application Note APLX-LMW-0403: Interfacing the Apache Web ...
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with Python
 
Apache Eagle: Architecture Evolvement and New Features
Apache Eagle: Architecture Evolvement and New FeaturesApache Eagle: Architecture Evolvement and New Features
Apache Eagle: Architecture Evolvement and New Features
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2OWASP_Top_Ten_Proactive_Controls version 2
OWASP_Top_Ten_Proactive_Controls version 2
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web services
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
Networked APIs with swift
Networked APIs with swiftNetworked APIs with swift
Networked APIs with swift
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptxOWASP_Top_Ten_Proactive_Controls_v32.pptx
OWASP_Top_Ten_Proactive_Controls_v32.pptx
 
An Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP ProgrammersAn Introduction to Websphere sMash for PHP Programmers
An Introduction to Websphere sMash for PHP Programmers
 

More from Magno Logan

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
Magno Logan
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
Magno Logan
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
Magno Logan
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
Magno Logan
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
Magno Logan
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
Magno Logan
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
Magno Logan
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Magno Logan
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Magno Logan
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
Magno Logan
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
Magno Logan
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Magno Logan
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
Magno Logan
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
Magno Logan
 

More from Magno Logan (15)

DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
 
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
 
XST - Cross Site Tracing
XST - Cross Site TracingXST - Cross Site Tracing
XST - Cross Site Tracing
 
OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE OWASP Top 10 2007 for JavaEE
OWASP Top 10 2007 for JavaEE
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
OWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BROWASP Top 10 2010 pt-BR
OWASP Top 10 2010 pt-BR
 
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasTratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
 
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
 
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
ENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na WebENSOL 2011 - OWASP e a Segurança na Web
ENSOL 2011 - OWASP e a Segurança na Web
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 

AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di Paola

  • 1. OWASP AppSecEU09 Poland Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland http://www.owasp.org HTTP Parameter Pollution Luca Carettoni Independent Researcher luca.carettoni@ikkisoft.com Stefano di Paola CTO @ Minded Security stefano.dipaola@mindedsecurity.com
  • 2. OWASP AppSecEU09 Poland 2 About us Luca “ikki” Carettoni Penetration Testing Specialist in a worldwide financial institution Security researcher for fun (and profit) OWASP Italy contributor I blog @ http://blog.nibblesec.org Keywords: web application security, ethical hacking, Java security Stefano “wisec” Di Paola CTO @ Minded Security Application Security Consulting Director of Research @ Minded Security Labs Lead of WAPT & Code Review Activities OWASP Italy R&D Director Sec Research (Flash Security, SWFIntruder...) WebLogs http://www.wisec.it, http://blog.mindedsecurity.com
  • 3. OWASP AppSecEU09 Poland Agenda Introduction Server enumeration HPP in a nutshell HPP Categories Server side attacks Concept Real world examples Client side attacks Concept Real world examples
  • 4. OWASP AppSecEU09 Poland Fact In modern web apps, several application layers are involved
  • 5. OWASP AppSecEU09 Poland Consequence Different input validation vulnerabilities exist SQL Injection LDAP Injection XML Injection XPath Injection Command Injection All input validation flaws are caused by unsanitized data flows between the front-end and the several back-ends of a web application Anyway, we still miss something here !?! _ _ _ Injection
  • 6. OWASP AppSecEU09 Poland An unbelievable story… There is no formal definition of an injection triggered by query string delimiters As far as we know, no one has never formalized an injection based attack against delimiters of the most used protocol on the web: HTTP HPP is surely around since many years, however it is definitely underestimated As a result, several vulnerabilities have been discovered in real-world applications
  • 7. OWASP AppSecEU09 Poland Introduction 1/2 The term Query String is commonly used to refer to the part between the “?” and the end of the URI As defined in the RFC 3986, it is a series of field- value pairs Pairs are separated by “&” or “;” The usage of semicolon is a W3C recommendation in order to avoid escaping RFC 2396 defines two classes of characters: Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( ) Reserved: ; / ? : @ & = + $ ,
  • 8. OWASP AppSecEU09 Poland Introduction 2/2 GET and POST HTTP request Query String meta characters are &, ?, #, ; , = and equivalent (e.g. using encoding) In case of multiple parameters with the same name, HTTP back-ends behave in several ways GET /foo?par1=val1&par2=val2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* POST /foo HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Accept: */* Content-Length: 19 par1=val1&par2=val2c
  • 9. OWASP AppSecEU09 Poland Server enumeration - List
  • 10. OWASP AppSecEU09 Poland Server enumeration - Summing up Different web servers manage multiple occurrences in several ways Some behaviors are quite bizarre Whenever protocol details are not strongly defined, implementations may strongly differ Unusual behaviors are a usual source of security weaknesses (MANTRA!)
  • 11. OWASP AppSecEU09 Poland Additional considerations 1/2 As mentioned, ASP and ASP.NET concatenate the values with a comma in between This applies to the Query String and form parameters in ASP and ASP.NET Request.QueryString Request.Form Cookies have similar property in ASP.NET Request.Params[“par”] par = 1,2,3,4,5,6 POST /index.aspx?par=1&par=2 HTTP/1.1 User-Agent: Mozilla/5.0 Host: Host Cookie: par=5; par=6 Content-Length: 19 par=3&par=4
  • 12. OWASP AppSecEU09 Poland Additional considerations 2/2 Unfortunately, application behaviors in case of multiple occurrences may differ as well This is strongly connected with the specific API used by our code In Java, for example: javax.servlet.ServletRequest Interface (Query String direct parsing) java.lang.String getParameter(java.lang.String name) Returns the value of a request parameter as a String, or null if the parameter does not exist java.lang.String[] getParameterValues(java.lang.String name) Returns an array of String objects containing all of the values the given request parameter has, or null if the parameter does not exist As a result, the applications may react in unexpected ways…as you will see!
  • 13. OWASP AppSecEU09 Poland A bizarre behavior 1/4 - HPPed !
  • 14. OWASP AppSecEU09 Poland A bizarre behavior 2/4 - HPPed !
  • 15. OWASP AppSecEU09 Poland A bizarre behavior 3/4 - HPPed !
  • 16. OWASP AppSecEU09 Poland A bizarre behavior 4/4 - HPPed ! Since this error generates ~100 lines in the log file, it may be used to obfuscate other attacks
  • 17. OWASP AppSecEU09 Poland HPP in a nutshell HTTP Parameter Pollution (HPP) is a quite simple but effective hacking technique HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters It affects a building block of all web technologies thus server-side and client-side attacks exist Exploiting HPP vulnerabilities, it may be possible to: Override existing hardcoded HTTP parameters Modify the application behaviors Access and, potentially exploit, uncontrollable variables Bypass input validation checkpoints and WAFs rules
  • 18. OWASP AppSecEU09 Poland HPP Categories We are not keen on inventing yet another buzzword. However, the standard vulnerability nomenclature seems lacking this concept Classification: Client-side 1. First order HPP or Reflected HPP 2. Second order HPP or Stored HPP 3. Third order HPP or DOM Based HPP Server-side 1. Standard HPP 2. Second order HPP According to our classification, Flash Parameter Injection* may be considered as a particular subcategory of the HPP client-side attack * http://blog.watchfire.com/FPI.ppt
  • 19. OWASP AppSecEU09 Poland Encoding & GET/POST/Cookie precedence Several well-known encoding techniques may be used to inject malicious payloads The precedence of GET/POST/Cookie may influence the application behaviors and it can also be used to override parameters Apache Tomcat/6.0.18 POST /foo?par1=val1&par1=val2 HTTP/1.1 Host: 127.0.0.1 par1=val3&par1=val4 FIRST occurrence, GET parameter first
  • 20. OWASP AppSecEU09 Poland HPP Server Side Attacks 1/2 Suppose some code as the following: Which is the attack surface? void private executeBackendRequest(HTTPRequest request){ String amount=request.getParameter("amount"); String beneficiary=request.getParameter("recipient"); HttpRequest("http://backendServer.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary); }
  • 21. OWASP AppSecEU09 Poland HPP Server Side Attacks 2/2 A malicious user may send a request like: Then, the frontend will build the following back-end request: Obviously depends on how the application will manage the occurrence http://frontendHost.com/page?amount=1000&recipient=Mat%26action% 3dwithdraw action=transfer&amount=1000&recipient=Mat&action=withdraw HttpRequest("http://backendServer.com/servlet/actions","POST", "action=transfer&amount="+amount+"&recipient="+beneficiary);
  • 22. OWASP AppSecEU09 Poland HPP Server Side - WebApp Firewalls What would happen with WAFs that do Query String parsing before applying filters? HPP can be used even to bypass WAFs ☺ Some loose WAFs may analyze and validate a single parameter occurrence only (first or last one) Whenever the devel environment concatenates multiple occurrences (e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …), an aggressor can split the malicious payload. http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2> par=<Payload_1>~~<Payload_2>
  • 23. OWASP AppSecEU09 Poland HPP Server Side – URL Rewriting URL Rewriting could be affected as well if regexp are too permissive: RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} .+page.php.* HTTP/ RewriteRule ^page.php.*$ - [F,L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^/]+)$ page.php?action=view&page=$1&id=0 [L] http://host/abc becomes: http://host/page.php?action=view&page=abc&id=0
  • 24. OWASP AppSecEU09 Poland HPP Server Side – URL Rewriting issues An attacker may try to inject: http://host/abc%26action%3dedit and the url will be rewritten as: http://host/page.php?action=view&page=abc&action=edit&id=0 Obviously, the impact depends on the functionality exposed 24
  • 25. OWASP AppSecEU09 Poland Real World Examples Server Side Attacks
  • 26. OWASP AppSecEU09 Poland Google Search Appliance - HPPed ! Once upon a time, during an assessment for XXX… GSA was the LAN search engine exposed for public search as well, with only three controllable values The parameter named “afilter” is used unencoded By polluting GSA parameters, appending %23 (“#”), we got full access to internal results
  • 27. OWASP AppSecEU09 Poland ModSecurity - HPPed ! ModSecurity SQL Injection filter bypass While the following query is properly detected Using HPP, it is possible to bypass the filter Other vendors may be affected as well This technique could potentially be extended to obfuscate attack payloads Lavakumar Kuppan is credited for this finding /index.aspx?page=select 1,2,3 from table where id=1 /index.aspx?page=select 1&page=2,3 from table where id=1
  • 28. OWASP AppSecEU09 Poland HPP Client Side attacks 1/2 HPP Client Side is about injecting additional parameters to links and other src attributes Suppose the following code: There's no XSS, but what about HPP? It’s just necessary to send a request like To obtain <? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?> <a href="/page.php?action=view&par='.<?=$val?>.'">View Me!</a> http:/host/page.php?par=123%26action=edit <a href="/page.php?action=view&par=123&amp;action=edit">View Me!</a>
  • 29. OWASP AppSecEU09 Poland HPP Client Side attacks 2/2 Once again, it strongly depends on the functionalities of a link It's more about Anti-CSRF Functional UI Redressing It could be applied on every tag with Data, src, href attributes Action forms with POST method
  • 30. OWASP AppSecEU09 Poland HPP Client Side - DOM based It's about parsing unexpected parameters It's about the interaction between IDSs and the application It's about the generation of client side HPP via JavaScript It's about the use of (XMLHttp)Requests on polluted parameters // First Occurrence function gup( name ) { name = name.replace(/[[]/,"[").replace(/[]]/,"]"); var regexS = "[?&]"+name+"=([^&#]*)"; var regex = new RegExp( regexS ); var results = regex.exec( window.location.href ); if( results == null ) return ""; else return results[1]; } // Last Occurrence function argToObject () { var sArgs = location.search.slice(1).split('&'); var argObj={}; for (var i = 0; i < sArgs.length; i++) { var r=sArgs[i].split('=') argObj[r[0]]=r[1] } return argObj }
  • 31. OWASP AppSecEU09 Poland HPP Client Side - FPI, the HPP way As mentioned, an interesting case of HPP is the Flash Parameter Injection by Ayal Yogev and Adi Sharabani @ Watchfire FPI is about including FlashVars in the html itself when the vulnerable flash is directly dependent on the page itself A FPI will result in the injection of additional parameters in the param tag E.g. Piggybacking FlashVars http://myFlashApp/index.cgi?language=ENG%26globalVar=<HPP>
  • 32. OWASP AppSecEU09 Poland Real World Examples Client Side Attacks
  • 33. OWASP AppSecEU09 Poland Ask.com - HPPed ! Features: Anti XSS using HtmlEntities DOM HPP and Client Side HPP compliant! ;)
  • 34. OWASP AppSecEU09 Poland Excite - HPPed ! Features: Several parameters could be HPPed Anti XSS using htmlEntities countermeasures DOM HPP + Client Side HPP friendly! http://search.excite.it/image/ ?q=dog&page=1%26%71% 3d%66%75%63%6b%6f% 66%66%20%66%69%6e% 67%65%72%26%69%74% 65%6d%3d%30
  • 35. OWASP AppSecEU09 Poland Excite - HPPed ! 35 Sweet dogs? Click anywhere on an image... This is a kind of content pollution Even if the example seems harmless, it may help to successfully conduct social engineering attacks
  • 36. OWASP AppSecEU09 Poland MS IE8 XSS Filter Bypass - HPPed ! IE8 checks for XSS regexp in the query string parameters, as well as it searches for them in the output When there's a .NET application, multiple occurrences of a parameter are joined using “,” So param=<script&param=src=”....”> becomes <script,src=”...”> in HTML As you can imagine, it bypasses the IE8 XSS filter Alex Kuza is credited for this finding
  • 37. OWASP AppSecEU09 Poland Yahoo! Mail Classic - HPPed ! Features Check antiCSRF Dispatcher View Html Entities filtering, antiXSS HPP compliant! The dispatcher pattern helps the attacker %26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete %2526cmd=fmgt.emptytrash Attack payload: http://it.mc257.mail.yahoo.com/mc/showFolder? fid=Inbox&order=down&tt=245&pSize=25&sta rtMid=0%2526cmd=fmgt.emptytrash%26DEL= 1%26DelFID=Inbox%26cmd=fmgt.delete
  • 38. OWASP AppSecEU09 Poland Yahoo! Mail Classic - HPPed ! It’s show time! Yahoo! has (silently) patched this issue…
  • 39. OWASP AppSecEU09 Poland PTK Forensic - HPPed ! PTK, an alternative Sleuthkit Interface PTK is a forensic tool with a web based frontend written in PHP, included in the SANS SIFT The investigator can mount a DD image and then inspect files, using the Web2.0 UI Here, HPP is the key to exploit a critical vulnerability* * http://www.ikkisoft.com/stuff/LC-2008-07.txt “...Once the investigator selects a specific file from the image filesystem, PTK invokes the following script: /ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1 ...”
  • 40. OWASP AppSecEU09 Poland PTK Forensic - HPPed ! Vulnerable code: Since filenames are contained within the DD image, they should be considered as user- supplied values $offset = $_GET['arg1']; $inode = $_GET['arg2']; $name = $_GET['arg3']; //filename $partition_id = $_GET['arg4']; $page_offset = 100; ... $type = get_file_type($_SESSION['image_path'], $offset, $inode); ... function get_file_type($path, $offset, $inode){ include("../config/conf.php"); if($offset == 'null'){ $offset = ''; }else{ $offset = "-o $offset"; } if($inode == 'null') $inode = ''; $result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin -zb -"); if(preg_match("/(image data)|(PC bitmap data)/", $result)){ $_SESSION['is_graphic'] = 1; } return $result;}
  • 41. OWASP AppSecEU09 Poland PTK Forensic - HPPed ! Crafting a filename as Confidential.doc&arg1=;EvilShell;... It is actually possible to tamper the link, leading to code execution since PHP considers the last occurrence .../file_content.php?arg1=null&arg2=107533&arg3=Confidentia l.doc&arg1=;EvilShell;...&arg4=1 Demonstration video of the attack: http://www.vimeo.com/2161045 As a result… …Stored HPP!
  • 42. OWASP AppSecEU09 Poland PHPIDS - HPPed ! PHPIDS is a state-of-the-art security layer for PHP web applications When dealing with DOM based HPP, PHPIDS could be fooled If the DOM based location parsing gets the first occurrence, then PHPIDS will consider only PHP behavior It means the last occurrence, thus no alert and XSS attacks still possible!
  • 43. OWASP AppSecEU09 Poland Countermeasures Speaking about HPP, several elements should be considered: Application business logic Technology used Context Data validation (as usual!) Output encoding Filtering is the key to defend our systems! Don't use HtmlEntities. They're out of context! Instead, apply URL Encoding Use strict regexp in URL Rewriting Know your application environment!
  • 44. OWASP AppSecEU09 Poland Conclusion HPP is a quite simple but effective hacking technique HPP affects server side as well client side components The impact could vary depending on the affected functionality We are going to release a whitepaper about these and other issues, including all technical details. Stay tuned! HPP requires further researches in order to deeply understand threats and risks. Several applications are likely vulnerable to HPP Standard and guidelines on multiple occurrences of a parameter in the QueryString should be defined Awareness for application developers is crucial
  • 45. OWASP AppSecEU09 Poland Q&A Time is over! Thanks! If you have further inquiries, please contact us: luca.carettoni@ikkisoft.com stefano.dipaola@mindedsecurity.com