Re: FW: HTTP Parameter Pollution

> Hi Stefano, Luca.Very good job.
> I think that HPP open new very interesting perspective for web application
> security on both side of medal, attack and defense.
> I have tried some web site and I have found very interesting side-effect of
> HPP.
>
> Cheers,
> Marco
>
> Hi guys,
> >
> > during OWASP AppSec Poland 2009 we presented a newly discovered input
> > validation vulnerability called "HTTP Parameter Pollution" (HPP).
> >
> > Basically, it can be defined as the feasibility to override or add HTTP
> > GET/POST parameters by injecting query string delimiters.
> >
> > In the last months, we have discovered several real world flaws in which
> > HPP can be used to modify the application behaviors, access
> > uncontrollable variables and even bypass input validation checkpoints
> > and WAFs rules.
> >
> > Exploiting such HPP vulnerabilities, we have found several problems in
> > some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail
> > Classic and many other products.
> >
> > If you are interested, you are kindly invited to have a look at:
> > http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> >
> > We're going to release additional materials in the next future,
> > including a video of the Yahoo! attack vector.
> >
> > Stay tuned on http://blog.mindedsecurity.com and
> > http://blog.nibblesec.org
> >
> > Cheers,
> > Stefano Di Paola and Luca Carettoni
> >
> > --
> > Stefano Di Paola
> > Chief Technology Officer, LA/ISO27001
> > Minded Security Research Labs Director
> >
> > Minded Security - Application Security Consulting
> >
> > Official Site: www.mindedsecurity.com
> >
> > Personal Blog: www.wisec.it/sectou.php
> > ..................