HTTP parameter pollution
HTTP Parameter Pollution or HPP in short is a vulnerability that occurs due to passing of multiple parameters having same name. There is no RFC standard on what should be done when passed multiple parameters. This vulnerability was first discovered in 2009. [1].HPP could be used for cross channel pollution, bypassing CSRF protection and WAF input validation checks.[2]
| HTTP |
|---|
| Request methods |
| Header fields |
| Status codes |
| Security access control methods |
| Security vulnerabilities |
Behaviour
When passed multiple parameters with same name, here is how backend behaves
| Technology | Parsing result | Example |
|---|---|---|
| ASP.NET/IIS | All occurrences concatenated with a comma | param=val1,val2 |
| ASP/IIS | All occurrences concatenated with a comma | param=val1,val2 |
| PHP/Apache | Last occurence only | param=val2 |
| PHP/Zeus | Last occurence only | param=val2 |
| JSP, Servlet/Apache Tomcat | First occurence only | param=val1 |
| JSP, Servlet/Oracle Application Server | First occurence only | param=val1 |
| JSP, Servlet/Jetty | First occurence only | param=val1 |
| IBM Lotus Domino | Last occurrence only | param=val2 |
| IBM HTTP Server | First occurence only | param=val1 |
| mod_perl,libapreq2/Apache | First occurence only | param=val1 |
| Perl CGI/Apache | First occurence only | param=val1 |
| mod_wsgi (Python)/Apache | First occurence only | param=val1 |
| Python/Zope | All occurences in list(array) | param=['val1','val2'] |
Types
Prevention
Proper input validation and awareness about web technology on HPP is protection against HTTP Parameter Pollution.[4]
gollark: Yes, you can look at national statistics instead of who you happen to know.
gollark: The """server""" is a raspberry pi, but it runs mildly important things.
gollark: Okay, that was easy, it just needed to be power cycled.
gollark: I'm going to be absent for this briefly while I investigate the mysterious nonexistence of one of my """servers""".
gollark: Oh, the long now clock thing, it's neat.
References
- "WSTG - Latest:Testing for HTTP Parameter Pollution".
- "HTTP Parameter Pollution Vulnerabilities in Web Applications" (PDF). 2011.
- Luca Carettoni and Stefano Di Paola. "HTTP Parameter Pollution" (PDF).CS1 maint: uses authors parameter (link)
- "How to Detect HTTP Parameter Pollution Attacks".
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.