On May 14th @ OWASP Appsec Poland 2009, me & Luca Carettoni presented a new attack category called Http Parameter Pollution (HPP).HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
- Override existing hardcoded HTTP parameters.
- Modify the application behaviors.
- Access and, potentially exploit, uncontrollable variables.
- Bypass input validation checkpoints and WAFs rules.
You can download the slides of the talk here (pdf) or browse it on Slideshare.
Also, we'll soon release a whitepaper in order to clarify all details about HPP.
As last news, in a few days the video of "Yahoo! Classic Mail" exploitation of Client Side HPP will be available on this blog.
So...stay tuned!
Hi Guys,
ReplyDeletefirst of all congratulations for the impressive work.
It's not completely clear to me how HPP can be used to bypass XSRF protections you mentioned in te slides. Do you have any additional information about it?
Thumbs up!
Lane D.
Nice Work!!
ReplyDeleteThanks Guys,
ReplyDelete@Lane, you can have a look at
http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html
which demonstrates the way to bypass Anti CSRF of Yahoo! Classic Mail.