HTTP Parameter Pollution

> On Tue, May 19, 2009 at 7:52 AM, Stefano Di Paola
> <stefano.dipaola@...> wrote:
>
>        
>         Hi guys,
>        
>         during OWASP AppSec Poland 2009 we presented a newly
>         discovered input
>         validation vulnerability called "HTTP Parameter
>         Pollution" (HPP).
>        
>         Basically, it can be defined as the feasibility to override or
>         add HTTP
>         GET/POST parameters by injecting query string delimiters.
>        
>         In the last months, we have discovered several real world
>         flaws in which
>         HPP can be used to modify the application behaviors, access
>         uncontrollable variables and even bypass input validation
>         checkpoints
>         and WAFs rules.
>        
>         Exploiting such HPP vulnerabilities, we have found several
>         problems in
>         some Google Search Appliance front-end scripts, Ask.com,
>         Yahoo! Mail
>         Classic and many other products.
>        
>         If you are interested, you are kindly invited to have a look
>         at:
>         http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>        
>
>
>
>
> FYI - Sverre Huseby has a write called Incompatible Parameter Parsing
> from 2005 which describes some of the same issues as HPP
> - http://shh.thathost.com/text/incompatible-parameter-parsing.txt
>
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com/
>
>
>  
>        
>         We're going to release additional materials in the next
>         future,
>         including a video of the Yahoo! attack vector.
>        
>         Stay tuned on http://blog.mindedsecurity.com and
>         http://blog.nibblesec.org
>        
>         Cheers,
>         Stefano Di Paola and Luca Carettoni
>        
>         --
>         Stefano Di Paola
>         Chief Technology Officer, LA/ISO27001
>         Minded Security Research Labs Director
>        
>         Minded Security - Application Security Consulting
>        
>         Official Site: www.mindedsecurity.com
>        
>         Personal Blog: www.wisec.it/sectou.php
>         ..................
>        
>        
>        
>        
>        
>
>

> Guys,
>
> A nice piece of research!  A comment on the slides "HPP Server Side  
> Attacks 1/2 and 2/2", I don't think that that case fits into the  
> definition of HPP.  It looks more like standard parameter manipulation  
> because it doesn't depend on the request having multiple parameters.
>
>
> Stephen
>
>
>
> >
> >
> > On May 19, 2009, at 1:52 PM, Stefano Di Paola wrote:
> >
> >> Hi guys,
> >>
> >> during OWASP AppSec Poland 2009 we presented a newly discovered input
> >> validation vulnerability called "HTTP Parameter Pollution" (HPP).
> >>
> >> Basically, it can be defined as the feasibility to override or add  
> >> HTTP
> >> GET/POST parameters by injecting query string delimiters.
> >>
> >> In the last months, we have discovered several real world flaws in  
> >> which
> >> HPP can be used to modify the application behaviors, access
> >> uncontrollable variables and even bypass input validation checkpoints
> >> and WAFs rules.
> >>
> >> Exploiting such HPP vulnerabilities, we have found several problems  
> >> in
> >> some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> >> Classic and many other products.
> >>
> >> If you are interested, you are kindly invited to have a look at:
> >> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> >>
> >> We're going to release additional materials in the next future,
> >> including a video of the Yahoo! attack vector.
> >>
> >> Stay tuned on http://blog.mindedsecurity.com and
> >> http://blog.nibblesec.org
> >>
> >> Cheers,
> >> Stefano Di Paola and Luca Carettoni
> >>
> >> --
> >> Stefano Di Paola
> >> Chief Technology Officer, LA/ISO27001
> >> Minded Security Research Labs Director
> >>
> >> Minded Security - Application Security Consulting
> >>
> >> Official Site: www.mindedsecurity.com
> >>
> >> Personal Blog: www.wisec.it/sectou.php
> >> ..................
> >>
> >>
> >>
> >>
> >>
> >
> > --
> > Stephen de Vries
> > Corsaire Ltd
> > E-mail: stephen@...
> > Tel: +44 1483 746714
> > Fax: +44 1483 746701
> > Web: http://www.corsaire.com
> >
> >
> >
> >
> >
>
>

>
> Hi guys,
>
> during OWASP AppSec Poland 2009 we presented a newly discovered input
> validation vulnerability called "HTTP Parameter Pollution" (HPP).
>
> Basically, it can be defined as the feasibility to override or add HTTP
> GET/POST parameters by injecting query string delimiters.
>
> In the last months, we have discovered several real world flaws in which
> HPP can be used to modify the application behaviors, access
> uncontrollable variables and even bypass input validation checkpoints
> and WAFs rules.
>
> Exploiting such HPP vulnerabilities, we have found several problems in
> some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> Classic and many other products.
>
> If you are interested, you are kindly invited to have a look at:  
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
> We're going to release additional materials in the next future,
> including a video of the Yahoo! attack vector.
>
> Stay tuned on http://blog.mindedsecurity.com and
> http://blog.nibblesec.org
>
> Cheers,
> Stefano Di Paola and Luca Carettoni
>
> --
> Stefano Di Paola
> Chief Technology Officer, LA/ISO27001
> Minded Security Research Labs Director
>
> Minded Security - Application Security Consulting
>
> Official Site: www.mindedsecurity.com
>
> Personal Blog: www.wisec.it/sectou.php
> ..................
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>

> Hello Stefano,
>
>
> This is a very interesting paper, I tested several websites and found
> some of them behaving unusual, I guess you need to add more
> harmful  attack vector to get more recognition for your white paper.
>
>
> I'm sharing here with another attack vector at a very popular Arabic
> search engine called Onkosh (check the image below)
>
>
> I guess another useful use from this attack is information leakage
> about the web server, since -as listed in your presentation- different
> web servers react differently to this attack, we can use that to know
> which web server we're dealing with and possibly form another attack
> depending on that.
>
>
> anyway this is really a great work
>
>
>
> HPP_example.png
>
>
> Thanks
>
>
> Mostafa Siraj
> Application Security Expert
> ITWorx Egypt
> www.ITWorx.com
>
>
>
>
>
>
> On Tue, May 19, 2009 at 2:52 PM, Stefano Di Paola
> <stefano.dipaola@...> wrote:
>         Hi guys,
>        
>         during OWASP AppSec Poland 2009 we presented a newly
>         discovered input
>         validation vulnerability called "HTTP Parameter
>         Pollution" (HPP).
>        
>         Basically, it can be defined as the feasibility to override or
>         add HTTP
>         GET/POST parameters by injecting query string delimiters.
>        
>         In the last months, we have discovered several real world
>         flaws in which
>         HPP can be used to modify the application behaviors, access
>         uncontrollable variables and even bypass input validation
>         checkpoints
>         and WAFs rules.
>        
>         Exploiting such HPP vulnerabilities, we have found several
>         problems in
>         some Google Search Appliance front-end scripts, Ask.com,
>         Yahoo! Mail
>         Classic and many other products.
>        
>         If you are interested, you are kindly invited to have a look
>         at:
>         http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>        
>         We're going to release additional materials in the next
>         future,
>         including a video of the Yahoo! attack vector.
>        
>         Stay tuned on http://blog.mindedsecurity.com and
>         http://blog.nibblesec.org
>        
>         Cheers,
>         Stefano Di Paola and Luca Carettoni
>        
>         --
>         Stefano Di Paola
>         Chief Technology Officer, LA/ISO27001
>         Minded Security Research Labs Director
>        
>         Minded Security - Application Security Consulting
>        
>         Official Site: www.mindedsecurity.com
>        
>         Personal Blog: www.wisec.it/sectou.php
>         ..................
>        
>        
>        
>         ----------------------------------------------------------------------------
>         Join us on IRC: irc.freenode.net #webappsec
>        
>         Have a question? Search The Web Security Mailing List
>         Archives:
>         http://www.webappsec.org/lists/websecurity/archive/
>        
>         Subscribe via RSS:
>         http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>        
>         Join WASC on LinkedIn
>         http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>        
>
>
>
> --
> "Our deepest fear is not that we are inadequate. Our deepest fear is
> that we are powerful beyond measure. It is our light, not our
> darkness, that most frightens us. We ask ourselves, who am I to be
> brilliant, gorgeous, talented, and fabulous?Actually, who are you not
> to be? You are a child of God. Your playing small doesn't serve the
> world. There's nothing enlightened about shrinking so that other
> people won't feel insecure around you. We are all meant to shine, as
> children do. We are born to make manifest the glory of God that is
> within us. It's not just in some of us, it's in everyone. And as we
> let our own light shine, we unconsciously give other people permission
> to do the same. As we are liberated from our own fear, our presence
> automatically liberates others." --Nelson Mandela--
>

> Hi guys,
>
> during OWASP AppSec Poland 2009 we presented a newly discovered input
> validation vulnerability called "HTTP Parameter Pollution" (HPP).
>
> Basically, it can be defined as the feasibility to override or add HTTP
> GET/POST parameters by injecting query string delimiters.
>
> In the last months, we have discovered several real world flaws in which
> HPP can be used to modify the application behaviors, access
> uncontrollable variables and even bypass input validation checkpoints
> and WAFs rules.
>
> Exploiting such HPP vulnerabilities, we have found several problems in
> some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> Classic and many other products.
>
> If you are interested, you are kindly invited to have a look at:
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
> We're going to release additional materials in the next future,
> including a video of the Yahoo! attack vector.
>
> Stay tuned on http://blog.mindedsecurity.com and
> http://blog.nibblesec.org
>
> Cheers,
> Stefano Di Paola and Luca Carettoni
>
> --
> Stefano Di Paola
> Chief Technology Officer, LA/ISO27001
> Minded Security Research Labs Director
>
> Minded Security - Application Security Consulting
>
> Official Site: www.mindedsecurity.com
>
> Personal Blog: www.wisec.it/sectou.php
> ..................
>
>
>
>
>

> Regards,
> - Robert
> http://www.cgisecurity.com/
> http://www.webappsec.org/
>
>
> >
> > Hi guys,
> >
> > during OWASP AppSec Poland 2009 we presented a newly discovered input
> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
> >
> > Basically, it can be defined as the feasibility to override or add HTTP
> > GET/POST parameters by injecting query string delimiters.
> >
> > In the last months, we have discovered several real world flaws in which
> > HPP can be used to modify the application behaviors, access
> > uncontrollable variables and even bypass input validation checkpoints
> > and WAFs rules.
> >
> > Exploiting such HPP vulnerabilities, we have found several problems in
> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> > Classic and many other products.
> >
> > If you are interested, you are kindly invited to have a look at:  
> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> >
> > We're going to release additional materials in the next future,
> > including a video of the Yahoo! attack vector.
> >
> > Stay tuned on http://blog.mindedsecurity.com and
> > http://blog.nibblesec.org
> >
> > Cheers,
> > Stefano Di Paola and Luca Carettoni
> >
> > --
> > Stefano Di Paola
> > Chief Technology Officer, LA/ISO27001
> > Minded Security Research Labs Director
> >
> > Minded Security - Application Security Consulting
> >
> > Official Site: www.mindedsecurity.com
> >
> > Personal Blog: www.wisec.it/sectou.php
> > ..................
> >
> >
> >
> > ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> > Join WASC on LinkedIn
> > http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
>
>

> Hi Stefano,
>
> Your presentation discusses two separate issues:
>
> 1. The differences in how various components handle multiple request
> parameters with the same name when an application expects only one
> (parameter).
> 2. Attacks against query string construction flaws in applications.
>
> Just from reading the slides I couldn't determine which is the main
> topic, and which is the one you named HPP?
>
>
> On Tue, May 19, 2009 at 1:52 PM, Stefano Di Paola
> <stefano.dipaola@...> wrote:
> > Hi guys,
> >
> > during OWASP AppSec Poland 2009 we presented a newly discovered input
> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
> >
> > Basically, it can be defined as the feasibility to override or add HTTP
> > GET/POST parameters by injecting query string delimiters.
> >
> > In the last months, we have discovered several real world flaws in which
> > HPP can be used to modify the application behaviors, access
> > uncontrollable variables and even bypass input validation checkpoints
> > and WAFs rules.
> >
> > Exploiting such HPP vulnerabilities, we have found several problems in
> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> > Classic and many other products.
> >
> > If you are interested, you are kindly invited to have a look at:
> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> >
> > We're going to release additional materials in the next future,
> > including a video of the Yahoo! attack vector.
> >
> > Stay tuned on http://blog.mindedsecurity.com and
> > http://blog.nibblesec.org
> >
> > Cheers,
> > Stefano Di Paola and Luca Carettoni
> >
> > --
> > Stefano Di Paola
> > Chief Technology Officer, LA/ISO27001
> > Minded Security Research Labs Director
> >
> > Minded Security - Application Security Consulting
> >
> > Official Site: www.mindedsecurity.com
> >
> > Personal Blog: www.wisec.it/sectou.php
> > ..................
> >
> >
> >
> >
> >
>
>
>

> Hi Ivan,
>
> HPP is an input validation vulnerability and, consequentially a
> possible attack, triggered by injection flaws in the context of
> generating QueryStrings/POST payloads.
>
> If you have only an injection (server or client side) in the context of
> query string construction, it doesn't mean you can actually override
> hardcoded parameters' values because of web server behaviour.
> On the other hand, if you know the web server/application behaviour and
> you cannot inject any parameter then you are obviously safe.
>
> So you need both hypothesis in order to exploit the issue.
>
> The main topic is that after identifying the application behaviour in
> managing multiple occurrences and considering which are the layers data
> passes through, an attacker could exploit the parameter injection
> vulnerability. And this is HPP.
>
> I hope we answered your question.
> However within the whitepaper, we are going to explain everything in
> detail and likely, we will be able to show the essence of this flaw.
>
> Cheers,
> Stefano & Luca
>
> Il giorno mer, 20/05/2009 alle 10.06 +0200, Ivan Ristic ha scritto:
>> Hi Stefano,
>>
>> Your presentation discusses two separate issues:
>>
>> 1. The differences in how various components handle multiple request
>> parameters with the same name when an application expects only one
>> (parameter).
>> 2. Attacks against query string construction flaws in applications.
>>
>> Just from reading the slides I couldn't determine which is the main
>> topic, and which is the one you named HPP?
>>
>>
>> On Tue, May 19, 2009 at 1:52 PM, Stefano Di Paola
>> <stefano.dipaola@...> wrote:
>> > Hi guys,
>> >
>> > during OWASP AppSec Poland 2009 we presented a newly discovered input
>> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
>> >
>> > Basically, it can be defined as the feasibility to override or add HTTP
>> > GET/POST parameters by injecting query string delimiters.
>> >
>> > In the last months, we have discovered several real world flaws in which
>> > HPP can be used to modify the application behaviors, access
>> > uncontrollable variables and even bypass input validation checkpoints
>> > and WAFs rules.
>> >
>> > Exploiting such HPP vulnerabilities, we have found several problems in
>> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
>> > Classic and many other products.
>> >
>> > If you are interested, you are kindly invited to have a look at:
>> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>> >
>> > We're going to release additional materials in the next future,
>> > including a video of the Yahoo! attack vector.
>> >
>> > Stay tuned on http://blog.mindedsecurity.com and
>> > http://blog.nibblesec.org
>> >
>> > Cheers,
>> > Stefano Di Paola and Luca Carettoni
>> >
>> > --
>> > Stefano Di Paola
>> > Chief Technology Officer, LA/ISO27001
>> > Minded Security Research Labs Director
>> >
>> > Minded Security - Application Security Consulting
>> >
>> > Official Site: www.mindedsecurity.com
>> >
>> > Personal Blog: www.wisec.it/sectou.php
>> > ..................
>> >
>> >
>> >
>> >
>> >
>>
>>
>>
> --
> ...oOOo...oOOo....
> Stefano Di Paola
> Software & Security Engineer
>
> Owasp Italy R&D Director
>
> Web: www.wisec.it
> ..................
>
>
>

> On Tue, May 19, 2009 at 7:52 AM, Stefano Di Paola <stefano.dipaola@...>
> wrote:
>>
>> Hi guys,
>>
>> during OWASP AppSec Poland 2009 we presented a newly discovered input
>> validation vulnerability called "HTTP Parameter Pollution" (HPP).
>>
>> Basically, it can be defined as the feasibility to override or add HTTP
>> GET/POST parameters by injecting query string delimiters.
>>
>> In the last months, we have discovered several real world flaws in which
>> HPP can be used to modify the application behaviors, access
>> uncontrollable variables and even bypass input validation checkpoints
>> and WAFs rules.
>>
>> Exploiting such HPP vulnerabilities, we have found several problems in
>> some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
>> Classic and many other products.
>>
>> If you are interested, you are kindly invited to have a look at:
>> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
>
> FYI - Sverre Huseby has a write called Incompatible Parameter Parsing from
> 2005 which describes some of the same issues as HPP
> - http://shh.thathost.com/text/incompatible-parameter-parsing.txt
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com/
>
>>
>> We're going to release additional materials in the next future,
>> including a video of the Yahoo! attack vector.
>>
>> Stay tuned on http://blog.mindedsecurity.com and
>> http://blog.nibblesec.org
>>
>> Cheers,
>> Stefano Di Paola and Luca Carettoni
>>
>> --
>> Stefano Di Paola
>> Chief Technology Officer, LA/ISO27001
>> Minded Security Research Labs Director
>>
>> Minded Security - Application Security Consulting
>>
>> Official Site: www.mindedsecurity.com
>>
>> Personal Blog: www.wisec.it/sectou.php
>> ..................
>>
>>
>>
>>
>
>

> I don't think the two issues are "married", as you imply. For example,
> let's assume that my application uses a backend subrequest whose query
> string is constructed out of the value of the paramter "param":
>
> http://backend.server/doSomething?key=$param
>
> and that you inject "value&injectedKey=injectedValue" (URL-encoded)
> into "param". The resulting backend request would thus be
>
> http://backend.server/doSomething?key=value&injectedKey=injectedValue
>
> So you have managed to pull off an attack using just query string
> injection. Depending on the backend service, that alone may be enough
> for exploitation.
>
> Thus, I think HPP is the injection part alone.
>
> I think your presentation would benefit from moving the discussion of
> parameter processing inconsistencies into the second half, positioning
> it as an additional technique that is needed to maximise the effect of
> the injection vulnerability.
>
>
> On Wed, May 20, 2009 at 2:13 PM, Stefano Di Paola
> <stefano.dipaola@...> wrote:
> > Hi Ivan,
> >
> > HPP is an input validation vulnerability and, consequentially a
> > possible attack, triggered by injection flaws in the context of
> > generating QueryStrings/POST payloads.
> >
> > If you have only an injection (server or client side) in the context of
> > query string construction, it doesn't mean you can actually override
> > hardcoded parameters' values because of web server behaviour.
> > On the other hand, if you know the web server/application behaviour and
> > you cannot inject any parameter then you are obviously safe.
> >
> > So you need both hypothesis in order to exploit the issue.
> >
> > The main topic is that after identifying the application behaviour in
> > managing multiple occurrences and considering which are the layers data
> > passes through, an attacker could exploit the parameter injection
> > vulnerability. And this is HPP.
> >
> > I hope we answered your question.
> > However within the whitepaper, we are going to explain everything in
> > detail and likely, we will be able to show the essence of this flaw.
> >
> > Cheers,
> > Stefano & Luca
> >
> > Il giorno mer, 20/05/2009 alle 10.06 +0200, Ivan Ristic ha scritto:
> >> Hi Stefano,
> >>
> >> Your presentation discusses two separate issues:
> >>
> >> 1. The differences in how various components handle multiple request
> >> parameters with the same name when an application expects only one
> >> (parameter).
> >> 2. Attacks against query string construction flaws in applications.
> >>
> >> Just from reading the slides I couldn't determine which is the main
> >> topic, and which is the one you named HPP?
> >>
> >>
> >> On Tue, May 19, 2009 at 1:52 PM, Stefano Di Paola
> >> <stefano.dipaola@...> wrote:
> >> > Hi guys,
> >> >
> >> > during OWASP AppSec Poland 2009 we presented a newly discovered input
> >> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
> >> >
> >> > Basically, it can be defined as the feasibility to override or add HTTP
> >> > GET/POST parameters by injecting query string delimiters.
> >> >
> >> > In the last months, we have discovered several real world flaws in which
> >> > HPP can be used to modify the application behaviors, access
> >> > uncontrollable variables and even bypass input validation checkpoints
> >> > and WAFs rules.
> >> >
> >> > Exploiting such HPP vulnerabilities, we have found several problems in
> >> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> >> > Classic and many other products.
> >> >
> >> > If you are interested, you are kindly invited to have a look at:
> >> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> >> >
> >> > We're going to release additional materials in the next future,
> >> > including a video of the Yahoo! attack vector.
> >> >
> >> > Stay tuned on http://blog.mindedsecurity.com and
> >> > http://blog.nibblesec.org
> >> >
> >> > Cheers,
> >> > Stefano Di Paola and Luca Carettoni
> >> >
> >> > --
> >> > Stefano Di Paola
> >> > Chief Technology Officer, LA/ISO27001
> >> > Minded Security Research Labs Director
> >> >
> >> > Minded Security - Application Security Consulting
> >> >
> >> > Official Site: www.mindedsecurity.com
> >> >
> >> > Personal Blog: www.wisec.it/sectou.php
> >> > ..................
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
> > --
> > ...oOOo...oOOo....
> > Stefano Di Paola
> > Software & Security Engineer
> >
> > Owasp Italy R&D Director
> >
> > Web: www.wisec.it
> > ..................
> >
> >
> >
>
>
>

>
> ...
>
> Having said that, we think there's something you're missing from the
> application point of view.
>
> The fact that the web server behavior does not affects HPP, would be
> correct only, and only if, there is no other hardcoded parameter.
>
> But think about:
>
> URL #1
> http://backend.server/doSomething?action=view&key=$param
>
> and
>
> URL #2
> http://backend.server/doSomething?key=$param&action=view
>
>
> Given that the injection is the issue, and that the attack is:
>
> value%26action=delete%23
>
> which is the safe url and which the vulnerable one?

> On Wed, May 20, 2009 at 5:30 PM, Stefano Di Paola
> <stefano.dipaola@...> wrote:
> >
> > ...
> >
> > Having said that, we think there's something you're missing from the
> > application point of view.
> >
> > The fact that the web server behavior does not affects HPP, would be
> > correct only, and only if, there is no other hardcoded parameter.
> >
> > But think about:
> >
> > URL #1
> > http://backend.server/doSomething?action=view&key=$param
> >
> > and
> >
> > URL #2
> > http://backend.server/doSomething?key=$param&action=view
> >
> >
> > Given that the injection is the issue, and that the attack is:
> >
> > value%26action=delete%23
> >
> > which is the safe url and which the vulnerable one?
>
> Both are vulnerable because both can be manipulated. Only one is
> exploitable. The difference here is that I don't care about
> exploitability and you do. My view is that if I don't know how to
> exploit a vulnerability that does not mean that there isn't someone
> else who can :)
>
> That's why, in my view, the additional technique you need for
> exploitability does not matter.

> > 2. It would be better if an RFC or similar states how to treat them.
>
> I would disagree with this.  This isn't a standard thing really; it is
> perfectly valid for an application to expect zero/one/infinity
> parameters; the issue only arises when the application does not handle a
> mismatch between expectation and actuality...
>
> Martin...
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>