HTTP Parameter Pollution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HTTP Parameter Pollution
From: "Luca.carettoni" <luca.carettoni@xxxxxxxxxxxx>
Date: Tue, 19 May 2009 14:34:03 +0200
Cc: webappsec@xxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, stefano.dipaola@xxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: "Luca.carettoni" <luca.carettoni@xxxxxxxxxxxx>

Hi Folks,
              during OWASP AppSec 2009 we have presented a newly discovered 
input validation vulnerability called "HTTP Parameter Pollution" (HPP). 

Basically, it can be defined as the feasibility to override or add HTTP 
GET/POST parameters by injecting query string delimiters. 
During the last months, we have discovered several real world flaws in which 
HPP can be used to modify the application behaviors, access uncontrollable 
variables and even bypass input validation checkpoints and WAFs rules. 
Exploiting such HPP vulnerabilities, we have found several problems in some 
Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and 
many other products.

If you enjoy the web security world, you are kindly invited to have a look at:  
 
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

We're going to release additional materials in the next future, including a 
video of the Yahoo! attack vector. 
Stay tuned on http://blog.mindedsecurity.com and http://blog.nibblesec.org

Cheers,
Luca Carettoni and Stefano Di Paola

Prev by Date: (GET var 'id') BLIND SQL INJECTION EXPLOIT --Dog Pedigree Online Database v1.0.1-Beta -->
Next by Date: [ MDVSA-2009:117 ] ntp
Previous by thread: (GET var 'id') BLIND SQL INJECTION EXPLOIT --Dog Pedigree Online Database v1.0.1-Beta -->
Next by thread: [ MDVSA-2009:117 ] ntp
Index(es):
- Date
- Thread