Thursday, May 28, 2009

HTTP Parameter Pollution

>>>> New type of attack on web applications: Parameter Pollution

At the recent OWASP conference, the Italian security experts Luca Carettoni and Stefano Di Paola demonstrated a new way of manipulating web applications and tricking security systems: HTTP Parameter Pollution (HPP).

This form of attack essentially involves submitting the parameters in GET and POST requests in unusual form or order, or with unusual delimiters. A request like:

GET /foo?par1=val1&par2=val2 HTTP/1.1

will be processed in the normal way, while

GET /foo?par1=val1&par1=val2 HTTP/1.1

with two occurrences of par1 can result in various different server-side variable interpretations, depending on the web server's or application's parsing routine. According to Carettoni and Di Paola, this can cause the application to behave in an unwanted and highly unpredictable way and result in security issues.

Web application firewalls (WAFs) and server security extensions are also vulnerable to HPP attacks. While Apache's ModSecurity module recognises an SQL-injection attack like:

/index.aspx?page=select 1,2,3 from table where id=1

it fails to detect

/index.aspx?page=select 1&page=2,3 from table where id=1

say the security experts. HPP can reportedly also be exploited for launching Cross-Site-Scripting attacks (XSS) on web browsers. The XSS filter of Internet Explorer 8 is apparently among the components vulnerable to this kind of attack.

Carettoni and Di Paola recommend stricter filtering and URL encoding to counteract HPP. They also recommend using strict regular expressions in URL rewriting.