Tuesday, May 19, 2009

Http Parameter Pollution a new web attack category (not just a new buzzword :p)

On May 14th @ OWASP Appsec Poland 2009, me & Luca Carettoni presented a new attack category called Http Parameter Pollution (HPP).

HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
  • Override existing hardcoded HTTP parameters.
  • Modify the application behaviors.
  • Access and, potentially exploit, uncontrollable variables.
  • Bypass input validation checkpoints and WAFs rules.
Just to whet your appetite, I can anticipate that by researching real world HPP vulnerabilities, we found issues on some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and several other products.

You can download the slides of the talk here (pdf) or browse it on Slideshare.

Also, we'll soon release a whitepaper in order to clarify all details about HPP.

As last news, in a few days the video of "Yahoo! Classic Mail" exploitation of Client Side HPP will be available on this blog.
So...stay tuned!


  1. Hi Guys,

    first of all congratulations for the impressive work.

    It's not completely clear to me how HPP can be used to bypass XSRF protections you mentioned in te slides. Do you have any additional information about it?

    Thumbs up!

    Lane D.

  2. Thanks Guys,

    @Lane, you can have a look at

    which demonstrates the way to bypass Anti CSRF of Yahoo! Classic Mail.