SlideShare a Scribd company logo

HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)

Marco Balduzzi
Marco Balduzzi

While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.

1 of 57
Download to read offline
HTTP Parameter Pollution Vulnerabilities in Web Applications Marco `embyte’ Balduzzi (C. Torrano, D.Balzarotti, E. Kirda) Do you have the last version of this presentation? http://www.iseclab.org/people/embyte/slides/BHEU2011/hpp-bhEU2011.pdf
Overview •  Introduction •  HTTP Parameter Pollution •  Detection Approach •  Tool •  Experiments •  Results •  Demo •  Conclusions
Who am I? •  From Bergamo (IT) to the French Riviera •  MSc in Computer Engineering •  PhD student at EURECOM •  8+ years experience in IT Security •  Engineer and consultant for different international firms •  Co-founder of BGLug, Applied Uni Lab, (ex) SPINE Group, Nast, etc… •  http://www.iseclab.org/people/embyte
The Web as We Know It •  Has evolved from being a collection of simple and static pages to fully dynamic applications •  Applications are more complex than they used to be •  Multi-tier architecture is the normal •  Many complex systems have web interfaces
The Web before
Now
Increased Importance of Web Security •  As a consequence: –  Web security has increased in importance –  OWASP, the Top Ten Project –  Attack against web apps constitute 60% of attacks on the Internet (SANS’s The Top Cyber Security Risks) –  Application being targeted for hosting drive-by- download content or C&C servers –  Malware targeting browsers (e.g. key and network loggers)
Increased Importance of Web Security •  A lot of work done to detect injection type flaws: –  SQL Injection –  Cross Site Scripting –  Command Injection •  Injection vulnerabilities have been well-studied, and tools exist –  Sanitization routines in languages (e.g., PHP) –  Static code analysis (e.g., Pixy, OWASP Orizon) –  Dynamic techniques (e.g., Huang et al.) –  Web Application Firewalls (WAF)
HTTP Parameter Pollution •  A new class of Injection Vulnerability called HTTP Parameter Pollution (HPP) is less known –  Has not received much attention –  First presented by S. di Paola and L. Carettoni at OWASP 2009 •  Attack consists of injecting encoded query string delimiters into existing HTTP parameters (e.g. GET/POST/Cookie) –  If application does not sanitize its inputs, HPP can be used to launch client-side or server-side attacks –  Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach
Research Objectives •  To create the first automated approach for detecting HPP flaws –  Blackbox approach, consists of a set of tests and heuristics •  To find out how prevalent HPP problems were on the web –  Is the problem being exaggerated? –  Is this problem known by developers? –  Does this problem occur more in smaller sites than larger sites? –  What is the significance of the problem?
HTTP Parameter Handling •  During interaction with web application, client provides parameters via GET/POST/Cookie –  http://www.site.com/login?login=alice •  HTTP allows the same parameter to be provided twice –  E.g., in a form checkbox http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_checkbox •  What happens when the same parameter is provided twice? –  http://www.site.com/login?login=alice&login=bob
Google example
Yahoo example
HTTP Parameter Handling •  We manually tested common methods of 5 different languages Technology/Server Tested Method Parameter Precedence ASP/IIS Request.QueryString(“par”) All (comma-delimited string) PHP/Apache $_GET(“par”) Last JSP/Tomcat Request.getParameter(“par”) First Perl(CGI)/Apache Param(“par”) First Python/Apache getvalue(“par”) All (List) •  There is nothing bad with it, if the developer is aware of this behavior •  Languages provide secure functions (python’s getfirst())
HTTP Parameter Pollution •  An HTTP Parameter Pollution (HPP) attack occurs –  When a malicious parameter Pinj, preceded by an encoded query string delimiter (e.g. %26), is injected into an existing parameter Phost •  Typical scenario (client-side) –  Web application for election for two candidates
HTTP Parameter Pollution Url : http://host/election.jsp?poll_id=4568 Link1: <a href="vote.jsp?poll_id=4568&candidate=white”> Vote for Mr.White </a> Link2: <a href="vote.jsp?poll_id=4568&candidate=green”> Vote for Mrs.Green </a> •  The two links are built from the URL ID = Request.getParameter(“pool_id”) href_link = “vote.jsp?poll_id=” + ID + ”&candidate=xyz” •  No sanitization
HTTP Parameter Pollution •  poll_id is vulnerable and Attacker creates URL: http://host/election.jsp?poll_id=4568%26candidate%3Dgreen •  The resulting page now contains injected links: <a href=vote.jsp?pool_id=4568&candidate=green&candidate=white> Vote for Mr. White </a> <a href=vote.jsp?pool_id=4568&candidate=green&candidate=green> Vote for Mrs. Green </a> •  If the developer expects to receive a single value –  Jsp’s Request.getParameter(“candidate”)returns the 1st value –  The parameter precedence is consistent… •  Candidate Mrs. Green is always voted!
Consequence •  Override existing (hardcoded) values •  Inject a new parameter •  Exploit a parameter out of a direct reach •  Client-side (user) or server-side (web- application) attack
Parameter Pollution – More uses •  Cross-channel pollution –  HPP attacks can also be used to override parameters between different input channels (GET/POST/Cookie) –  Good security practice: accept parameters only from where they are supposed to be supplied •  HPP to bypass CSRF tokens –  E.g. Yahoo Mail client-side attack (di Paola & Carrettoni)
Bonus •  By concatenating the same parameter multiple time •  Bypass WAFs input validation checks –  Exploit ASP concatenation behavior and inline comments –  Concatenate the attack payload after the WAF filtering Standard: show_user.aspx?id=5;select+1,2,3+from+users+where+id=1– Over HPP: show_user.aspx?id=5;select+1&id=2&id=3+from+users+where+id=1— Standard: show_user.aspx?id=5+union+select+*+from+users— Over HPP: show_user.aspx?id=5/*&id=*/union/*&id=*/select+*/*&id=*/from+users--
System for HPP Detection •  Four main components: browser, crawler, two scanners
Main Components   Instrumented browser fetches the web pages and renders their content –  Full support for client-side scripts (e.g. Javascript) and external resources (e.g. <embed>) –  Extracts all links and forms   Crawler communicates with browser, determines URLs to visit and forms to submit. Passes the information to two scanners   P-Scan: Determines page behavior when two parameters with the same name are injected   V-Scan: Tests and attempts to verify that site is vulnerable to HPP
P-Scan: Analysis of the Parameter Precedence –  Analyzes a page to determine the precedence of parameters, when multiple occurrences of the same parameter are submitted –  Take parameter par1=val1, generate a similar value par1=new_val •  Page0 (original): app.php?par1=val1 •  Page1 (test 1) : app.php?par1=new_val •  Page2 (test 2) : app.php?par1=val1&par1=new_val –  How do we determine precedence? Naïve approach: •  Page0==Page2 -> precedence on first parameter •  Page1==Page2 -> precedence on second parameter
P-Scan: Problem with the naïve approach •  In practice, naïve technique does not work well –  Applications are complex, much dynamic content (publicity banners, RSS feeds, ads, etc.) –  Hence, we perform pre-filtering to eliminate dynamic components (embedded content, applets, iframes, stylesheets, etc.) –  Remove all self-referencing URLs (as these change when parameters are inserted) –  We then perform different tests to determine similarity
P-Scan: Tests •  Error test –  The application crashes, or return an “internal” error, when an identical parameter is injected multiple times –  Regexps from the sqlmap project •  Identity test –  Is the tested parameter considered by the application •  Page0=Page1=Page2 •  Base test –  Test assumes that the pre-filtering works perfectly (seldom the case)
P-Scan: Tests •  Join test –  Are the two values are somehow combined together (e.g. ASP)? •  Fuzzy test –  It is designed to cope with pages whose dynamic components have not been perfectly sanitized –  Based on the Gestalt Pattern Matching algorithm –  Compute the similarity among the pages
V-Scan: Testing for HPP vulnerabilities •  For every page, an innocuous URL-encoded parameter (nonce) is injected –  E.g., “%26foo%3Dbar” –  Then check if the “&foo=bar” string is included inside the URLs of links or forms in the answer page •  V-Scan starts by extracting the list PURL=[PU1,PU2,…PUn] of the parameters that are present in the page URL, and the list Pbody=[PB1,PB2,…PUm] of the parameters that are present in links or forms contained in the page body
Where to inject the nonce •  PA = PURL ∩ PBody : set of parameters that appear unmodified in the URL and in the page content (links, forms) •  PB = p | p PURL p / PBody : URL parameters that do not appear in the page. Some of these parameters may appear in the page under a different name •  PC = p | p / PURL p PBody : set of parameters that appear somewhere in the page, but that are not present in the URL
V-Scan: Special Cases •  E.g., one of the URL parameters (or part of it) is used as the entire target of a link •  Self-referencing links •  Similar issues with printing, sharing functionalities •  To reduce false positives, we use heuristics –  E.g., the injected parameter does not start with http:// –  Injection without URL-encoding
Implementation – The PAPAS tool •  PAPAS: Parameter Pollution Analysis System •  The components communicate via TCP/IP sockets –  Crawler and Scanner are in Python –  The browser component has been implemented as a Firefox extension –  Advantage: We can see exactly how pages are rendered (cope with client-side scripts) –  Support for multiple sessions (parallelization)
Implementation – The PAPAS tool •  PAPAS is fully customizable –  E.g., scanning depth, number of performed injections, page loading timeouts, etc. •  Three modes are supported –  Fast mode, extensive mode, assisted mode –  In assisted mode, authenticated areas of a site can be scanned as well
Possible improvements •  PAPAS does not support the crawling of links embedded in active content –  E.g., flash •  Support additional encoding schemas (UTF-8, Double URL) •  PAPAS currently only focuses on client-side exploits where user needs to click on a link –  HPP is also possible on the server side – but this is more difficult to detect –  Analogous to detecting stored XSS
Ethical Considerations •  Only client-side attacks. The server-side have the potential to cause harm •  We provided the applications with innocuous parameters (&foo=bar). No malicious code. •  Limited scan time (15min) and activity •  We immediately informed, when possible, the security engineers of the affected applications –  Thankful feedbacks
Two set of experiments   We used PAPAS to scan a set of popular websites –  About 5,000 sites collected by the first 500 of Alexa’s main categories –  The aim: To quickly scan as many websites as possible and to see how common HPP flaws are   We then analyzed some of the sites we identified to be HPP-vulnerable in more detail
The 5,016 tested sites Categories # of Tested Categories # of Tested Applications Applications Financial 110 Shopping 460 Games 300 Social Networking 117 Government 132 Sports 256 Health 235 Travel 175 Internet 698 University 91 News 599 Video 114 Organization 106 Others 1,401 Science 222
Efficient assessment •  In 13 days, we tested 5,016 sites and more than 149,000 unique pages •  To maximize the speed, the scanner –  Crawled pages up to a distance of 3 from the homepage –  Considered links with at least one parameter (except for the homepage) –  Considered at max 5 instances for page (same page, different query string) –  We disabled pop-ups, images, plug-ins for active content technologies
Evaluation – Parameter Precedence •  Database Errors –  Web developers does not seem conscious of the possibility to duplicate GET/POST parameters
Evaluation – Parameter Precedence •  Parameter Inconsistency –  Sites developed using a combination of heterogeneous technologies (e.g. PHP and Perl) –  This is perfectly safe if the developer is aware of the HPP threat… this is not always the case
Evaluation – HPP Vulnerabilities •  PAPAS discovered that about 1,500 (30%) websites contained at least one page vulnerable to HTTP Parameter Injection –  The tool was able to inject (and verify) an encoded parameter •  Vulnerable != Exploitable –  Is the parameter precedence consistent? –  Can a possible attacker override existing parameter values?
Vulnerable or exploitable? •  Injection on link: –  Parameter in the middle -> always overriding –  Parameter at the begin/end -> automated check via P-Scan •  Injection on form: –  The injected value is automatically encoded by the browser –  Still, someone may be able to run a two-step attack (client-side) or a server-side attack
Vulnerable or exploitable? •  702 applications are exploitable –  About 14% –  The injected parameter either overrides the value of an existing one or is accepted as “new parameter” •  E.g. A new action is injected Url: pool.pl?par1=val1%26action%3Dreset Link: target.pl?x=y&w=z&par1=val1&action=reset
Evaluation •  More sensitive sites are equally (or even more) affected by the problem
False Positives •  10 applications (1.12%) use the injected parameter as entire target for one link •  Variation of the special case we saw in slide 18 (V-Scan: special cases) –  The application applied a transformation to the parameter before using it as a link’s URL
Some Case Studies •  We investigated some of the websites in more detail –  Among our “victims”: Facebook, Google, Symantec, Microsoft, PayPal, Flickr, FOX Video, VMWare, … –  We notified security officers and some of the problems were fixed –  Facebook: share component –  Several shopping cart applications could be manipulated to change the price of an item –  Some banks were vulnerable and we could play around with parameters –  Google: search engine results could be manipulated
Homepage injection WHO
Nasa.gov: coldfusion SQL Error
Misleading shopping users
Your (secured) home banking
And Google 
PAPAS Online Service •  5K websites tested –  30% sites are vulnerable: injectable parameters –  14% exploitable: possible to override or introduce arbitrary parameters/values •  What about mine? •  PAPAS @ http://papas.iseclab.org •  Free-to-use service •  Ownership token verification •  Configurable
PAPAS Online Service DEMO
HPP Prevention •  Input validation –  Encoded query string delimiters •  Use safe methods –  Parameter precedence (ref. slide 14) –  Channel (GET/POST/Cookie) validation (ref. slide 19) •  Raise awareness –  The client can provide the same parameter twice (or more)
Acknowledgments, References •  Co-joint work: –  M. Balduzzi, C. Torrano Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS’11, San Diego, CA. •  http://papas.iseclab.org/cgi-bin/resources.py •  Black Hat’s White Paper
Conclusion   Presented the first technique and system to detect HPP vulnerabilities in web applications. •  We call it PAPAS, http://papas.iseclab.org   Conducted a large-scale study of the Internet •  About 5,000 web sites   Our results suggest that Parameter Pollution is a largely unknown, and wide-spread problem We hope our work will help raise awareness about HPP!
Questions? embyte@iseclab.org

Recommended

Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 

Recommended

Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 

More Related Content

What's hot

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
42Crunch
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
CODE BLUE
 

What's hot (20)

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS FilterX-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 

Viewers also liked

Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Mazin Ahmed
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
artisriva
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
Enterprise Softworx Solutions
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User Profiling
Marco Balduzzi
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
Xavier Puig de las Heras
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
Sanoj Kumar
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
Marco Balduzzi
 
Christmas
ChristmasChristmas
Christmas
bogomolova1879
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
Venkatesh Prabhu
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
Marco Balduzzi
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
Marco Balduzzi
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов Small
Kamchibekova Rakia
 
Family tree
Family treeFamily tree
Family tree
bogomolova1879
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
ragibhasan
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
Асылбек Айтматов
 
Presentation1
Presentation1Presentation1
Presentation1
Nima Kamali
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectives
bogomolova1879
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
ika aprilia
 

Viewers also liked (20)

Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User Profiling
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
 
Pentru tine
Pentru tinePentru tine
Pentru tine
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
Christmas
ChristmasChristmas
Christmas
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов Small
 
Family tree
Family treeFamily tree
Family tree
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
 
Presentation1
Presentation1Presentation1
Presentation1
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectives
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
 

Similar to HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)

Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Marco Balduzzi
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Denim Group
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
TEST Huddle
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practices
deseomar
 
Graphing for Security
Graphing for SecurityGraphing for Security
Graphing for Security
mr_secure
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
Felipe M
 
Neotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting ZongNeotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting Zong
Neotys_Partner
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
OWASP EEE
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defense
ajitdhumale
 
Monitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with PrometheusMonitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with Prometheus
Fabian Reinartz
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
beched
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
TEST Huddle
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Prowess presentation
Prowess presentationProwess presentation
Prowess presentation
Thenraja Vettivelraj
 
Bots & spiders
Bots & spidersBots & spiders
Bots & spiders
Maté Ongenaert
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
BIOVIA
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software Engineering
Tao Xie
 
Introduction to Web Programming - first course
Introduction to Web Programming - first courseIntroduction to Web Programming - first course
Introduction to Web Programming - first course
Vlad Posea
 

Similar to HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011) (20)

Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practices
 
Graphing for Security
Graphing for SecurityGraphing for Security
Graphing for Security
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
 
Neotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting ZongNeotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting Zong
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defense
 
Monitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with PrometheusMonitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with Prometheus
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Prowess presentation
Prowess presentationProwess presentation
Prowess presentation
 
Bots & spiders
Bots & spidersBots & spiders
Bots & spiders
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software Engineering
 
Introduction to Web Programming - first course
Introduction to Web Programming - first courseIntroduction to Web Programming - first course
Introduction to Web Programming - first course
 

More from Marco Balduzzi

Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Marco Balduzzi
 
CTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyCTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards Cerimony
Marco Balduzzi
 
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesSCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
Marco Balduzzi
 
Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)
Marco Balduzzi
 
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Marco Balduzzi
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Marco Balduzzi
 
Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Plead APT @ EECTF 2016
Plead APT @ EECTF 2016
Marco Balduzzi
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Marco Balduzzi
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
Marco Balduzzi
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)
Marco Balduzzi
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting Services
Marco Balduzzi
 
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeStealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Marco Balduzzi
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
Marco Balduzzi
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Marco Balduzzi
 

More from Marco Balduzzi (14)

Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
 
CTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyCTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards Cerimony
 
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesSCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
 
Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)
 
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Plead APT @ EECTF 2016
Plead APT @ EECTF 2016
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting Services
 
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeStealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using Skype
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking Attacks
 

Recently uploaded

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)

  • 1. HTTP Parameter Pollution Vulnerabilities in Web Applications Marco `embyte’ Balduzzi (C. Torrano, D.Balzarotti, E. Kirda) Do you have the last version of this presentation? http://www.iseclab.org/people/embyte/slides/BHEU2011/hpp-bhEU2011.pdf
  • 2. Overview •  Introduction •  HTTP Parameter Pollution •  Detection Approach •  Tool •  Experiments •  Results •  Demo •  Conclusions
  • 3. Who am I? •  From Bergamo (IT) to the French Riviera •  MSc in Computer Engineering •  PhD student at EURECOM •  8+ years experience in IT Security •  Engineer and consultant for different international firms •  Co-founder of BGLug, Applied Uni Lab, (ex) SPINE Group, Nast, etc… •  http://www.iseclab.org/people/embyte
  • 4. The Web as We Know It •  Has evolved from being a collection of simple and static pages to fully dynamic applications •  Applications are more complex than they used to be •  Multi-tier architecture is the normal •  Many complex systems have web interfaces
  • 6. Now
  • 7. Increased Importance of Web Security •  As a consequence: –  Web security has increased in importance –  OWASP, the Top Ten Project –  Attack against web apps constitute 60% of attacks on the Internet (SANS’s The Top Cyber Security Risks) –  Application being targeted for hosting drive-by- download content or C&C servers –  Malware targeting browsers (e.g. key and network loggers)
  • 8. Increased Importance of Web Security •  A lot of work done to detect injection type flaws: –  SQL Injection –  Cross Site Scripting –  Command Injection •  Injection vulnerabilities have been well-studied, and tools exist –  Sanitization routines in languages (e.g., PHP) –  Static code analysis (e.g., Pixy, OWASP Orizon) –  Dynamic techniques (e.g., Huang et al.) –  Web Application Firewalls (WAF)
  • 9. HTTP Parameter Pollution •  A new class of Injection Vulnerability called HTTP Parameter Pollution (HPP) is less known –  Has not received much attention –  First presented by S. di Paola and L. Carettoni at OWASP 2009 •  Attack consists of injecting encoded query string delimiters into existing HTTP parameters (e.g. GET/POST/Cookie) –  If application does not sanitize its inputs, HPP can be used to launch client-side or server-side attacks –  Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach
  • 10. Research Objectives •  To create the first automated approach for detecting HPP flaws –  Blackbox approach, consists of a set of tests and heuristics •  To find out how prevalent HPP problems were on the web –  Is the problem being exaggerated? –  Is this problem known by developers? –  Does this problem occur more in smaller sites than larger sites? –  What is the significance of the problem?
  • 11. HTTP Parameter Handling •  During interaction with web application, client provides parameters via GET/POST/Cookie –  http://www.site.com/login?login=alice •  HTTP allows the same parameter to be provided twice –  E.g., in a form checkbox http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_checkbox •  What happens when the same parameter is provided twice? –  http://www.site.com/login?login=alice&login=bob
  • 14. HTTP Parameter Handling •  We manually tested common methods of 5 different languages Technology/Server Tested Method Parameter Precedence ASP/IIS Request.QueryString(“par”) All (comma-delimited string) PHP/Apache $_GET(“par”) Last JSP/Tomcat Request.getParameter(“par”) First Perl(CGI)/Apache Param(“par”) First Python/Apache getvalue(“par”) All (List) •  There is nothing bad with it, if the developer is aware of this behavior •  Languages provide secure functions (python’s getfirst())
  • 15. HTTP Parameter Pollution •  An HTTP Parameter Pollution (HPP) attack occurs –  When a malicious parameter Pinj, preceded by an encoded query string delimiter (e.g. %26), is injected into an existing parameter Phost •  Typical scenario (client-side) –  Web application for election for two candidates
  • 16. HTTP Parameter Pollution Url : http://host/election.jsp?poll_id=4568 Link1: <a href="vote.jsp?poll_id=4568&candidate=white”> Vote for Mr.White </a> Link2: <a href="vote.jsp?poll_id=4568&candidate=green”> Vote for Mrs.Green </a> •  The two links are built from the URL ID = Request.getParameter(“pool_id”) href_link = “vote.jsp?poll_id=” + ID + ”&candidate=xyz” •  No sanitization
  • 17. HTTP Parameter Pollution •  poll_id is vulnerable and Attacker creates URL: http://host/election.jsp?poll_id=4568%26candidate%3Dgreen •  The resulting page now contains injected links: <a href=vote.jsp?pool_id=4568&candidate=green&candidate=white> Vote for Mr. White </a> <a href=vote.jsp?pool_id=4568&candidate=green&candidate=green> Vote for Mrs. Green </a> •  If the developer expects to receive a single value –  Jsp’s Request.getParameter(“candidate”)returns the 1st value –  The parameter precedence is consistent… •  Candidate Mrs. Green is always voted!
  • 18. Consequence •  Override existing (hardcoded) values •  Inject a new parameter •  Exploit a parameter out of a direct reach •  Client-side (user) or server-side (web- application) attack
  • 19. Parameter Pollution – More uses •  Cross-channel pollution –  HPP attacks can also be used to override parameters between different input channels (GET/POST/Cookie) –  Good security practice: accept parameters only from where they are supposed to be supplied •  HPP to bypass CSRF tokens –  E.g. Yahoo Mail client-side attack (di Paola & Carrettoni)
  • 20. Bonus •  By concatenating the same parameter multiple time •  Bypass WAFs input validation checks –  Exploit ASP concatenation behavior and inline comments –  Concatenate the attack payload after the WAF filtering Standard: show_user.aspx?id=5;select+1,2,3+from+users+where+id=1– Over HPP: show_user.aspx?id=5;select+1&id=2&id=3+from+users+where+id=1— Standard: show_user.aspx?id=5+union+select+*+from+users— Over HPP: show_user.aspx?id=5/*&id=*/union/*&id=*/select+*/*&id=*/from+users--
  • 21. System for HPP Detection •  Four main components: browser, crawler, two scanners
  • 22. Main Components   Instrumented browser fetches the web pages and renders their content –  Full support for client-side scripts (e.g. Javascript) and external resources (e.g. <embed>) –  Extracts all links and forms   Crawler communicates with browser, determines URLs to visit and forms to submit. Passes the information to two scanners   P-Scan: Determines page behavior when two parameters with the same name are injected   V-Scan: Tests and attempts to verify that site is vulnerable to HPP
  • 23. P-Scan: Analysis of the Parameter Precedence –  Analyzes a page to determine the precedence of parameters, when multiple occurrences of the same parameter are submitted –  Take parameter par1=val1, generate a similar value par1=new_val •  Page0 (original): app.php?par1=val1 •  Page1 (test 1) : app.php?par1=new_val •  Page2 (test 2) : app.php?par1=val1&par1=new_val –  How do we determine precedence? Naïve approach: •  Page0==Page2 -> precedence on first parameter •  Page1==Page2 -> precedence on second parameter
  • 24. P-Scan: Problem with the naïve approach •  In practice, naïve technique does not work well –  Applications are complex, much dynamic content (publicity banners, RSS feeds, ads, etc.) –  Hence, we perform pre-filtering to eliminate dynamic components (embedded content, applets, iframes, stylesheets, etc.) –  Remove all self-referencing URLs (as these change when parameters are inserted) –  We then perform different tests to determine similarity
  • 25. P-Scan: Tests •  Error test –  The application crashes, or return an “internal” error, when an identical parameter is injected multiple times –  Regexps from the sqlmap project •  Identity test –  Is the tested parameter considered by the application •  Page0=Page1=Page2 •  Base test –  Test assumes that the pre-filtering works perfectly (seldom the case)
  • 26. P-Scan: Tests •  Join test –  Are the two values are somehow combined together (e.g. ASP)? •  Fuzzy test –  It is designed to cope with pages whose dynamic components have not been perfectly sanitized –  Based on the Gestalt Pattern Matching algorithm –  Compute the similarity among the pages
  • 27. V-Scan: Testing for HPP vulnerabilities •  For every page, an innocuous URL-encoded parameter (nonce) is injected –  E.g., “%26foo%3Dbar” –  Then check if the “&foo=bar” string is included inside the URLs of links or forms in the answer page •  V-Scan starts by extracting the list PURL=[PU1,PU2,…PUn] of the parameters that are present in the page URL, and the list Pbody=[PB1,PB2,…PUm] of the parameters that are present in links or forms contained in the page body
  • 28. Where to inject the nonce •  PA = PURL ∩ PBody : set of parameters that appear unmodified in the URL and in the page content (links, forms) •  PB = p | p PURL p / PBody : URL parameters that do not appear in the page. Some of these parameters may appear in the page under a different name •  PC = p | p / PURL p PBody : set of parameters that appear somewhere in the page, but that are not present in the URL
  • 29. V-Scan: Special Cases •  E.g., one of the URL parameters (or part of it) is used as the entire target of a link •  Self-referencing links •  Similar issues with printing, sharing functionalities •  To reduce false positives, we use heuristics –  E.g., the injected parameter does not start with http:// –  Injection without URL-encoding
  • 30. Implementation – The PAPAS tool •  PAPAS: Parameter Pollution Analysis System •  The components communicate via TCP/IP sockets –  Crawler and Scanner are in Python –  The browser component has been implemented as a Firefox extension –  Advantage: We can see exactly how pages are rendered (cope with client-side scripts) –  Support for multiple sessions (parallelization)
  • 31. Implementation – The PAPAS tool •  PAPAS is fully customizable –  E.g., scanning depth, number of performed injections, page loading timeouts, etc. •  Three modes are supported –  Fast mode, extensive mode, assisted mode –  In assisted mode, authenticated areas of a site can be scanned as well
  • 32. Possible improvements •  PAPAS does not support the crawling of links embedded in active content –  E.g., flash •  Support additional encoding schemas (UTF-8, Double URL) •  PAPAS currently only focuses on client-side exploits where user needs to click on a link –  HPP is also possible on the server side – but this is more difficult to detect –  Analogous to detecting stored XSS
  • 33. Ethical Considerations •  Only client-side attacks. The server-side have the potential to cause harm •  We provided the applications with innocuous parameters (&foo=bar). No malicious code. •  Limited scan time (15min) and activity •  We immediately informed, when possible, the security engineers of the affected applications –  Thankful feedbacks
  • 34. Two set of experiments   We used PAPAS to scan a set of popular websites –  About 5,000 sites collected by the first 500 of Alexa’s main categories –  The aim: To quickly scan as many websites as possible and to see how common HPP flaws are   We then analyzed some of the sites we identified to be HPP-vulnerable in more detail
  • 35. The 5,016 tested sites Categories # of Tested Categories # of Tested Applications Applications Financial 110 Shopping 460 Games 300 Social Networking 117 Government 132 Sports 256 Health 235 Travel 175 Internet 698 University 91 News 599 Video 114 Organization 106 Others 1,401 Science 222
  • 36. Efficient assessment •  In 13 days, we tested 5,016 sites and more than 149,000 unique pages •  To maximize the speed, the scanner –  Crawled pages up to a distance of 3 from the homepage –  Considered links with at least one parameter (except for the homepage) –  Considered at max 5 instances for page (same page, different query string) –  We disabled pop-ups, images, plug-ins for active content technologies
  • 37. Evaluation – Parameter Precedence •  Database Errors –  Web developers does not seem conscious of the possibility to duplicate GET/POST parameters
  • 38. Evaluation – Parameter Precedence •  Parameter Inconsistency –  Sites developed using a combination of heterogeneous technologies (e.g. PHP and Perl) –  This is perfectly safe if the developer is aware of the HPP threat… this is not always the case
  • 39. Evaluation – HPP Vulnerabilities •  PAPAS discovered that about 1,500 (30%) websites contained at least one page vulnerable to HTTP Parameter Injection –  The tool was able to inject (and verify) an encoded parameter •  Vulnerable != Exploitable –  Is the parameter precedence consistent? –  Can a possible attacker override existing parameter values?
  • 40. Vulnerable or exploitable? •  Injection on link: –  Parameter in the middle -> always overriding –  Parameter at the begin/end -> automated check via P-Scan •  Injection on form: –  The injected value is automatically encoded by the browser –  Still, someone may be able to run a two-step attack (client-side) or a server-side attack
  • 41. Vulnerable or exploitable? •  702 applications are exploitable –  About 14% –  The injected parameter either overrides the value of an existing one or is accepted as “new parameter” •  E.g. A new action is injected Url: pool.pl?par1=val1%26action%3Dreset Link: target.pl?x=y&w=z&par1=val1&action=reset
  • 42. Evaluation •  More sensitive sites are equally (or even more) affected by the problem
  • 43. False Positives •  10 applications (1.12%) use the injected parameter as entire target for one link •  Variation of the special case we saw in slide 18 (V-Scan: special cases) –  The application applied a transformation to the parameter before using it as a link’s URL
  • 44. Some Case Studies •  We investigated some of the websites in more detail –  Among our “victims”: Facebook, Google, Symantec, Microsoft, PayPal, Flickr, FOX Video, VMWare, … –  We notified security officers and some of the problems were fixed –  Facebook: share component –  Several shopping cart applications could be manipulated to change the price of an item –  Some banks were vulnerable and we could play around with parameters –  Google: search engine results could be manipulated
  • 45.
  • 47.
  • 52. PAPAS Online Service •  5K websites tested –  30% sites are vulnerable: injectable parameters –  14% exploitable: possible to override or introduce arbitrary parameters/values •  What about mine? •  PAPAS @ http://papas.iseclab.org •  Free-to-use service •  Ownership token verification •  Configurable
  • 54. HPP Prevention •  Input validation –  Encoded query string delimiters •  Use safe methods –  Parameter precedence (ref. slide 14) –  Channel (GET/POST/Cookie) validation (ref. slide 19) •  Raise awareness –  The client can provide the same parameter twice (or more)
  • 55. Acknowledgments, References •  Co-joint work: –  M. Balduzzi, C. Torrano Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS’11, San Diego, CA. •  http://papas.iseclab.org/cgi-bin/resources.py •  Black Hat’s White Paper
  • 56. Conclusion   Presented the first technique and system to detect HPP vulnerabilities in web applications. •  We call it PAPAS, http://papas.iseclab.org   Conducted a large-scale study of the Internet •  About 5,000 web sites   Our results suggest that Parameter Pollution is a largely unknown, and wide-spread problem We hope our work will help raise awareness about HPP!
  • 57. Questions? embyte@iseclab.org