Web Attacks Using HTTP Parameter Pollution
At the OWASP AppSec Poland 2009 web security conference two Italian security experts presented a new kind of web application attack threat. The presentation slides for the method called HTTP Parameter Pollution (HPP) are now available online.
The new attack class adds yet another method to the known ones attackers have used to inject scripts or SQL queries into HTTP GET or POST requests. Security researchers Stefano Di Paola and Luca Carettoni explain the method in their presentation through the assignment of parameter-value pairs.
The multiple parameter definitions in the following HTTP request can lead to unexpected behavior in web applications:
GET /foo?par1=val1&par1=val2 HTTP/1.1
That depends on the web application. Some take the first parameter value, some the second, others concatenate them and still others build an array.
What begins at HTTP servers ends up in frameworks and applications. Di Paola und Carettoni demonstrate the HTTP Parameter Pollution (HPP) effect on the CUPS print system web interface, during a CPAN search and in the Plone web framework. By the estimation of the two security experts, hard-coded variables can be overwritten with an HPP attack to exploit the vulnerabilities of the program. Even web application firewalls (WAFs) and other detection and repair methods could be outfoxed by the HPP attack under circumstances.
Other presentation slides show how an HPP attack interacts with program code and ties HTTP cookies and URL rewriting into the process. Further practical examples describe attacks on ModSecurity, PHPIDS, the Google Search Appliance and other web search engines, as well as Yahoo! Mail Classic.
Countermeasures suggested by Di Paola and Carettoni include applying URL encoding and using strict regular expressions (regex) with URL rewriting. Above all, they suggest being aware of the weaknesses of individual application components and to use strict filtering. The two have published an extensive white paper on the subject. The presentation slides can be downloaded from the Open Web Application Security Project (OWASP) website.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.
greenatmos
We have just added your latest post "Web Attacks Using HTTP Parameter Pollution - Linux Magazine Online" to our <a href="http://www.greenatmos.com"> Directory of Environment </a> . You can check the inclusion of the post <a href="http://greenatmos.com/story...inux-magazine-online"> here </a> . We are delighted to invite you to submit all your future posts to the <a href="http://www.greenatmos.com"> directory </a> for getting a huge base of visitors to your website and gaining a valuable backlink to your site.
Warm Regards
greenatmos.com Team
http://www.greenatmos.com