SlideShare uma empresa Scribd logo

HTTP Parameter Pollution Vulnerabilities in Web Apps

Marco Balduzzi
Marco Balduzzi

While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.

Tecnologia
1 de 57
Baixar para ler offline
HTTP Parameter Pollution Vulnerabilities in Web Applications Marco `embyte’ Balduzzi (C. Torrano, D.Balzarotti, E. Kirda) Do you have the last version of this presentation? http://www.iseclab.org/people/embyte/slides/BHEU2011/hpp-bhEU2011.pdf
Overview •  Introduction •  HTTP Parameter Pollution •  Detection Approach •  Tool •  Experiments •  Results •  Demo •  Conclusions
Who am I? •  From Bergamo (IT) to the French Riviera •  MSc in Computer Engineering •  PhD student at EURECOM •  8+ years experience in IT Security •  Engineer and consultant for different international firms •  Co-founder of BGLug, Applied Uni Lab, (ex) SPINE Group, Nast, etc… •  http://www.iseclab.org/people/embyte
The Web as We Know It •  Has evolved from being a collection of simple and static pages to fully dynamic applications •  Applications are more complex than they used to be •  Multi-tier architecture is the normal •  Many complex systems have web interfaces
The Web before
Now
Increased Importance of Web Security •  As a consequence: –  Web security has increased in importance –  OWASP, the Top Ten Project –  Attack against web apps constitute 60% of attacks on the Internet (SANS’s The Top Cyber Security Risks) –  Application being targeted for hosting drive-by- download content or C&C servers –  Malware targeting browsers (e.g. key and network loggers)
Increased Importance of Web Security •  A lot of work done to detect injection type flaws: –  SQL Injection –  Cross Site Scripting –  Command Injection •  Injection vulnerabilities have been well-studied, and tools exist –  Sanitization routines in languages (e.g., PHP) –  Static code analysis (e.g., Pixy, OWASP Orizon) –  Dynamic techniques (e.g., Huang et al.) –  Web Application Firewalls (WAF)
HTTP Parameter Pollution •  A new class of Injection Vulnerability called HTTP Parameter Pollution (HPP) is less known –  Has not received much attention –  First presented by S. di Paola and L. Carettoni at OWASP 2009 •  Attack consists of injecting encoded query string delimiters into existing HTTP parameters (e.g. GET/POST/Cookie) –  If application does not sanitize its inputs, HPP can be used to launch client-side or server-side attacks –  Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach
Research Objectives •  To create the first automated approach for detecting HPP flaws –  Blackbox approach, consists of a set of tests and heuristics •  To find out how prevalent HPP problems were on the web –  Is the problem being exaggerated? –  Is this problem known by developers? –  Does this problem occur more in smaller sites than larger sites? –  What is the significance of the problem?
HTTP Parameter Handling •  During interaction with web application, client provides parameters via GET/POST/Cookie –  http://www.site.com/login?login=alice •  HTTP allows the same parameter to be provided twice –  E.g., in a form checkbox http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_checkbox •  What happens when the same parameter is provided twice? –  http://www.site.com/login?login=alice&login=bob
Google example
Yahoo example
HTTP Parameter Handling •  We manually tested common methods of 5 different languages Technology/Server Tested Method Parameter Precedence ASP/IIS Request.QueryString(“par”) All (comma-delimited string) PHP/Apache $_GET(“par”) Last JSP/Tomcat Request.getParameter(“par”) First Perl(CGI)/Apache Param(“par”) First Python/Apache getvalue(“par”) All (List) •  There is nothing bad with it, if the developer is aware of this behavior •  Languages provide secure functions (python’s getfirst())
HTTP Parameter Pollution •  An HTTP Parameter Pollution (HPP) attack occurs –  When a malicious parameter Pinj, preceded by an encoded query string delimiter (e.g. %26), is injected into an existing parameter Phost •  Typical scenario (client-side) –  Web application for election for two candidates
HTTP Parameter Pollution Url : http://host/election.jsp?poll_id=4568 Link1: <a href="vote.jsp?poll_id=4568&candidate=white”> Vote for Mr.White </a> Link2: <a href="vote.jsp?poll_id=4568&candidate=green”> Vote for Mrs.Green </a> •  The two links are built from the URL ID = Request.getParameter(“pool_id”) href_link = “vote.jsp?poll_id=” + ID + ”&candidate=xyz” •  No sanitization
HTTP Parameter Pollution •  poll_id is vulnerable and Attacker creates URL: http://host/election.jsp?poll_id=4568%26candidate%3Dgreen •  The resulting page now contains injected links: <a href=vote.jsp?pool_id=4568&candidate=green&candidate=white> Vote for Mr. White </a> <a href=vote.jsp?pool_id=4568&candidate=green&candidate=green> Vote for Mrs. Green </a> •  If the developer expects to receive a single value –  Jsp’s Request.getParameter(“candidate”)returns the 1st value –  The parameter precedence is consistent… •  Candidate Mrs. Green is always voted!
Consequence •  Override existing (hardcoded) values •  Inject a new parameter •  Exploit a parameter out of a direct reach •  Client-side (user) or server-side (web- application) attack
Parameter Pollution – More uses •  Cross-channel pollution –  HPP attacks can also be used to override parameters between different input channels (GET/POST/Cookie) –  Good security practice: accept parameters only from where they are supposed to be supplied •  HPP to bypass CSRF tokens –  E.g. Yahoo Mail client-side attack (di Paola & Carrettoni)
Bonus •  By concatenating the same parameter multiple time •  Bypass WAFs input validation checks –  Exploit ASP concatenation behavior and inline comments –  Concatenate the attack payload after the WAF filtering Standard: show_user.aspx?id=5;select+1,2,3+from+users+where+id=1– Over HPP: show_user.aspx?id=5;select+1&id=2&id=3+from+users+where+id=1— Standard: show_user.aspx?id=5+union+select+*+from+users— Over HPP: show_user.aspx?id=5/*&id=*/union/*&id=*/select+*/*&id=*/from+users--
System for HPP Detection •  Four main components: browser, crawler, two scanners
Main Components   Instrumented browser fetches the web pages and renders their content –  Full support for client-side scripts (e.g. Javascript) and external resources (e.g. <embed>) –  Extracts all links and forms   Crawler communicates with browser, determines URLs to visit and forms to submit. Passes the information to two scanners   P-Scan: Determines page behavior when two parameters with the same name are injected   V-Scan: Tests and attempts to verify that site is vulnerable to HPP
P-Scan: Analysis of the Parameter Precedence –  Analyzes a page to determine the precedence of parameters, when multiple occurrences of the same parameter are submitted –  Take parameter par1=val1, generate a similar value par1=new_val •  Page0 (original): app.php?par1=val1 •  Page1 (test 1) : app.php?par1=new_val •  Page2 (test 2) : app.php?par1=val1&par1=new_val –  How do we determine precedence? Naïve approach: •  Page0==Page2 -> precedence on first parameter •  Page1==Page2 -> precedence on second parameter
P-Scan: Problem with the naïve approach •  In practice, naïve technique does not work well –  Applications are complex, much dynamic content (publicity banners, RSS feeds, ads, etc.) –  Hence, we perform pre-filtering to eliminate dynamic components (embedded content, applets, iframes, stylesheets, etc.) –  Remove all self-referencing URLs (as these change when parameters are inserted) –  We then perform different tests to determine similarity
P-Scan: Tests •  Error test –  The application crashes, or return an “internal” error, when an identical parameter is injected multiple times –  Regexps from the sqlmap project •  Identity test –  Is the tested parameter considered by the application •  Page0=Page1=Page2 •  Base test –  Test assumes that the pre-filtering works perfectly (seldom the case)
P-Scan: Tests •  Join test –  Are the two values are somehow combined together (e.g. ASP)? •  Fuzzy test –  It is designed to cope with pages whose dynamic components have not been perfectly sanitized –  Based on the Gestalt Pattern Matching algorithm –  Compute the similarity among the pages
V-Scan: Testing for HPP vulnerabilities •  For every page, an innocuous URL-encoded parameter (nonce) is injected –  E.g., “%26foo%3Dbar” –  Then check if the “&foo=bar” string is included inside the URLs of links or forms in the answer page •  V-Scan starts by extracting the list PURL=[PU1,PU2,…PUn] of the parameters that are present in the page URL, and the list Pbody=[PB1,PB2,…PUm] of the parameters that are present in links or forms contained in the page body
Where to inject the nonce •  PA = PURL ∩ PBody : set of parameters that appear unmodified in the URL and in the page content (links, forms) •  PB = p | p PURL p / PBody : URL parameters that do not appear in the page. Some of these parameters may appear in the page under a different name •  PC = p | p / PURL p PBody : set of parameters that appear somewhere in the page, but that are not present in the URL
V-Scan: Special Cases •  E.g., one of the URL parameters (or part of it) is used as the entire target of a link •  Self-referencing links •  Similar issues with printing, sharing functionalities •  To reduce false positives, we use heuristics –  E.g., the injected parameter does not start with http:// –  Injection without URL-encoding
Implementation – The PAPAS tool •  PAPAS: Parameter Pollution Analysis System •  The components communicate via TCP/IP sockets –  Crawler and Scanner are in Python –  The browser component has been implemented as a Firefox extension –  Advantage: We can see exactly how pages are rendered (cope with client-side scripts) –  Support for multiple sessions (parallelization)
Implementation – The PAPAS tool •  PAPAS is fully customizable –  E.g., scanning depth, number of performed injections, page loading timeouts, etc. •  Three modes are supported –  Fast mode, extensive mode, assisted mode –  In assisted mode, authenticated areas of a site can be scanned as well
Possible improvements •  PAPAS does not support the crawling of links embedded in active content –  E.g., flash •  Support additional encoding schemas (UTF-8, Double URL) •  PAPAS currently only focuses on client-side exploits where user needs to click on a link –  HPP is also possible on the server side – but this is more difficult to detect –  Analogous to detecting stored XSS
Ethical Considerations •  Only client-side attacks. The server-side have the potential to cause harm •  We provided the applications with innocuous parameters (&foo=bar). No malicious code. •  Limited scan time (15min) and activity •  We immediately informed, when possible, the security engineers of the affected applications –  Thankful feedbacks
Two set of experiments   We used PAPAS to scan a set of popular websites –  About 5,000 sites collected by the first 500 of Alexa’s main categories –  The aim: To quickly scan as many websites as possible and to see how common HPP flaws are   We then analyzed some of the sites we identified to be HPP-vulnerable in more detail
The 5,016 tested sites Categories # of Tested Categories # of Tested Applications Applications Financial 110 Shopping 460 Games 300 Social Networking 117 Government 132 Sports 256 Health 235 Travel 175 Internet 698 University 91 News 599 Video 114 Organization 106 Others 1,401 Science 222
Efficient assessment •  In 13 days, we tested 5,016 sites and more than 149,000 unique pages •  To maximize the speed, the scanner –  Crawled pages up to a distance of 3 from the homepage –  Considered links with at least one parameter (except for the homepage) –  Considered at max 5 instances for page (same page, different query string) –  We disabled pop-ups, images, plug-ins for active content technologies
Evaluation – Parameter Precedence •  Database Errors –  Web developers does not seem conscious of the possibility to duplicate GET/POST parameters
Evaluation – Parameter Precedence •  Parameter Inconsistency –  Sites developed using a combination of heterogeneous technologies (e.g. PHP and Perl) –  This is perfectly safe if the developer is aware of the HPP threat… this is not always the case
Evaluation – HPP Vulnerabilities •  PAPAS discovered that about 1,500 (30%) websites contained at least one page vulnerable to HTTP Parameter Injection –  The tool was able to inject (and verify) an encoded parameter •  Vulnerable != Exploitable –  Is the parameter precedence consistent? –  Can a possible attacker override existing parameter values?
Vulnerable or exploitable? •  Injection on link: –  Parameter in the middle -> always overriding –  Parameter at the begin/end -> automated check via P-Scan •  Injection on form: –  The injected value is automatically encoded by the browser –  Still, someone may be able to run a two-step attack (client-side) or a server-side attack
Vulnerable or exploitable? •  702 applications are exploitable –  About 14% –  The injected parameter either overrides the value of an existing one or is accepted as “new parameter” •  E.g. A new action is injected Url: pool.pl?par1=val1%26action%3Dreset Link: target.pl?x=y&w=z&par1=val1&action=reset
Evaluation •  More sensitive sites are equally (or even more) affected by the problem
False Positives •  10 applications (1.12%) use the injected parameter as entire target for one link •  Variation of the special case we saw in slide 18 (V-Scan: special cases) –  The application applied a transformation to the parameter before using it as a link’s URL
Some Case Studies •  We investigated some of the websites in more detail –  Among our “victims”: Facebook, Google, Symantec, Microsoft, PayPal, Flickr, FOX Video, VMWare, … –  We notified security officers and some of the problems were fixed –  Facebook: share component –  Several shopping cart applications could be manipulated to change the price of an item –  Some banks were vulnerable and we could play around with parameters –  Google: search engine results could be manipulated
Homepage injection WHO
Nasa.gov: coldfusion SQL Error
Misleading shopping users
Your (secured) home banking
And Google 
PAPAS Online Service •  5K websites tested –  30% sites are vulnerable: injectable parameters –  14% exploitable: possible to override or introduce arbitrary parameters/values •  What about mine? •  PAPAS @ http://papas.iseclab.org •  Free-to-use service •  Ownership token verification •  Configurable
PAPAS Online Service DEMO
HPP Prevention •  Input validation –  Encoded query string delimiters •  Use safe methods –  Parameter precedence (ref. slide 14) –  Channel (GET/POST/Cookie) validation (ref. slide 19) •  Raise awareness –  The client can provide the same parameter twice (or more)
Acknowledgments, References •  Co-joint work: –  M. Balduzzi, C. Torrano Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS’11, San Diego, CA. •  http://papas.iseclab.org/cgi-bin/resources.py •  Black Hat’s White Paper
Conclusion   Presented the first technique and system to detect HPP vulnerabilities in web applications. •  We call it PAPAS, http://papas.iseclab.org   Conducted a large-scale study of the Internet •  About 5,000 web sites   Our results suggest that Parameter Pollution is a largely unknown, and wide-spread problem We hope our work will help raise awareness about HPP!
Questions? embyte@iseclab.org

Recomendados

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 

Recomendados

Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
Burp suite
Burp suiteBurp suite
Burp suiteYashar Shahinzadeh
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQLKavishaSheth1
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksStefano Di Paola
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 

Mais conteúdo relacionado

Mais procurados

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - SlidesAmit Dubey
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scaleChandrapal Badshah
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
 

Mais procurados (20)

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Host Header injection - Slides
Host Header injection - SlidesHost Header injection - Slides
Host Header injection - Slides
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Web application security
Web application securityWeb application security
Web application security
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQL
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 

Destaque

Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksStefano Di Paola
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd passwordartisriva
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateEnterprise Softworx Solutions
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingMarco Balduzzi
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in CloudSanoj Kumar
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Venkatesh Prabhu
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов SmallKamchibekova Rakia
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02ragibhasan
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряАсылбек Айтматов
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMika aprilia
 

Destaque (20)

Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacksHttp Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
 
Abusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User ProfilingAbusing Social Networks for Automated User Profiling
Abusing Social Networks for Automated User Profiling
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
 
Pentru tine
Pentru tinePentru tine
Pentru tine
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
Christmas
ChristmasChristmas
Christmas
 
Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...Cloud computing security policy framework for mitigating denial of service at...
Cloud computing security policy framework for mitigating denial of service at...
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
чынгыз айтматов Small
чынгыз айтматов Smallчынгыз айтматов Small
чынгыз айтматов Small
 
Family tree
Family treeFamily tree
Family tree
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
 
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октябряОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
ОО" Шоола Кол" презентация Результаты поиска Санкт-Петербург 14 октября
 
Presentation1
Presentation1Presentation1
Presentation1
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectives
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
 

Semelhante a HTTP Parameter Pollution Vulnerabilities in Web Apps

Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Marco Balduzzi
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyTEST Huddle
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practicesdeseomar
 
Graphing for Security
Graphing for SecurityGraphing for Security
Graphing for Securitymr_secure
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application InterfacesFelipe M
 
Neotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting ZongNeotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting ZongNeotys_Partner
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= TOWASP EEE
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defenseajitdhumale
 
Monitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with PrometheusMonitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with PrometheusFabian Reinartz
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited timebeched
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012TEST Huddle
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service BIOVIA
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringTao Xie
 
Introduction to Web Programming - first course
Introduction to Web Programming - first courseIntroduction to Web Programming - first course
Introduction to Web Programming - first courseVlad Posea
 

Semelhante a HTTP Parameter Pollution Vulnerabilities in Web Apps (20)

Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
Automated Detection of HPP Vulnerabilities in Web Applications Version 0.3, B...
 
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
The 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a ProxyThe 3 Top Techniques for Web Security Testing Using a Proxy
The 3 Top Techniques for Web Security Testing Using a Proxy
 
Website Testing Practices
Website Testing PracticesWebsite Testing Practices
Website Testing Practices
 
Graphing for Security
Graphing for SecurityGraphing for Security
Graphing for Security
 
Manipulating Web Application Interfaces
Manipulating Web Application InterfacesManipulating Web Application Interfaces
Manipulating Web Application Interfaces
 
Neotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting ZongNeotys PAC 2018 - Tingting Zong
Neotys PAC 2018 - Tingting Zong
 
[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T[Russia] Bugs -> max, time &lt;= T
[Russia] Bugs -> max, time &lt;= T
 
WebAppSec: Assessment and Defense
WebAppSec: Assessment and DefenseWebAppSec: Assessment and Defense
WebAppSec: Assessment and Defense
 
Monitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with PrometheusMonitoring a Kubernetes-backed microservice architecture with Prometheus
Monitoring a Kubernetes-backed microservice architecture with Prometheus
 
Find maximum bugs in limited time
Find maximum bugs in limited timeFind maximum bugs in limited time
Find maximum bugs in limited time
 
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Prowess presentation
Prowess presentationProwess presentation
Prowess presentation
 
Bots & spiders
Bots & spidersBots & spiders
Bots & spiders
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
(ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service (ATS6-PLAT04) Query service
(ATS6-PLAT04) Query service
 
Software Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software EngineeringSoftware Analytics: Data Analytics for Software Engineering
Software Analytics: Data Analytics for Software Engineering
 
Introduction to Web Programming - first course
Introduction to Web Programming - first courseIntroduction to Web Programming - first course
Introduction to Web Programming - first course
 

Mais de Marco Balduzzi

Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
CTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyCTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyMarco Balduzzi
 
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesSCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesMarco Balduzzi
 
Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Marco Balduzzi
 
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Marco Balduzzi
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Marco Balduzzi
 
Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Marco Balduzzi
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Marco Balduzzi
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)Marco Balduzzi
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Marco Balduzzi
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting ServicesMarco Balduzzi
 
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeStealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeMarco Balduzzi
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
 

Mais de Marco Balduzzi (14)

Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
 
CTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards CerimonyCTS @ HWIO2020 Awards Cerimony
CTS @ HWIO2020 Awards Cerimony
 
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesSCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
SCSD 2020 - Security Risk Assessment of Radio-Enabled Technologies
 
Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)Attacking Industrial Remote Controllers (HITB AMS 2019)
Attacking Industrial Remote Controllers (HITB AMS 2019)
 
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
 
Plead APT @ EECTF 2016
Plead APT @ EECTF 2016Plead APT @ EECTF 2016
Plead APT @ EECTF 2016
 
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)
 
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)
 
Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)Attacking the Privacy of Social Network users (HITB 2011)
Attacking the Privacy of Social Network users (HITB 2011)
 
The (in)security of File Hosting Services
The (in)security of File Hosting ServicesThe (in)security of File Hosting Services
The (in)security of File Hosting Services
 
Stealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using SkypeStealthy, Resilient and Cost-Effective Botnet Using Skype
Stealthy, Resilient and Cost-Effective Botnet Using Skype
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking Attacks
 

Último

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Último (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

HTTP Parameter Pollution Vulnerabilities in Web Apps

  • 1. HTTP Parameter Pollution Vulnerabilities in Web Applications Marco `embyte’ Balduzzi (C. Torrano, D.Balzarotti, E. Kirda) Do you have the last version of this presentation? http://www.iseclab.org/people/embyte/slides/BHEU2011/hpp-bhEU2011.pdf
  • 2. Overview •  Introduction •  HTTP Parameter Pollution •  Detection Approach •  Tool •  Experiments •  Results •  Demo •  Conclusions
  • 3. Who am I? •  From Bergamo (IT) to the French Riviera •  MSc in Computer Engineering •  PhD student at EURECOM •  8+ years experience in IT Security •  Engineer and consultant for different international firms •  Co-founder of BGLug, Applied Uni Lab, (ex) SPINE Group, Nast, etc… •  http://www.iseclab.org/people/embyte
  • 4. The Web as We Know It •  Has evolved from being a collection of simple and static pages to fully dynamic applications •  Applications are more complex than they used to be •  Multi-tier architecture is the normal •  Many complex systems have web interfaces
  • 6. Now
  • 7. Increased Importance of Web Security •  As a consequence: –  Web security has increased in importance –  OWASP, the Top Ten Project –  Attack against web apps constitute 60% of attacks on the Internet (SANS’s The Top Cyber Security Risks) –  Application being targeted for hosting drive-by- download content or C&C servers –  Malware targeting browsers (e.g. key and network loggers)
  • 8. Increased Importance of Web Security •  A lot of work done to detect injection type flaws: –  SQL Injection –  Cross Site Scripting –  Command Injection •  Injection vulnerabilities have been well-studied, and tools exist –  Sanitization routines in languages (e.g., PHP) –  Static code analysis (e.g., Pixy, OWASP Orizon) –  Dynamic techniques (e.g., Huang et al.) –  Web Application Firewalls (WAF)
  • 9. HTTP Parameter Pollution •  A new class of Injection Vulnerability called HTTP Parameter Pollution (HPP) is less known –  Has not received much attention –  First presented by S. di Paola and L. Carettoni at OWASP 2009 •  Attack consists of injecting encoded query string delimiters into existing HTTP parameters (e.g. GET/POST/Cookie) –  If application does not sanitize its inputs, HPP can be used to launch client-side or server-side attacks –  Attacker may be able to override existing parameter values, inject a new parameter or exploit variables out of a direct reach
  • 10. Research Objectives •  To create the first automated approach for detecting HPP flaws –  Blackbox approach, consists of a set of tests and heuristics •  To find out how prevalent HPP problems were on the web –  Is the problem being exaggerated? –  Is this problem known by developers? –  Does this problem occur more in smaller sites than larger sites? –  What is the significance of the problem?
  • 11. HTTP Parameter Handling •  During interaction with web application, client provides parameters via GET/POST/Cookie –  http://www.site.com/login?login=alice •  HTTP allows the same parameter to be provided twice –  E.g., in a form checkbox http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_checkbox •  What happens when the same parameter is provided twice? –  http://www.site.com/login?login=alice&login=bob
  • 14. HTTP Parameter Handling •  We manually tested common methods of 5 different languages Technology/Server Tested Method Parameter Precedence ASP/IIS Request.QueryString(“par”) All (comma-delimited string) PHP/Apache $_GET(“par”) Last JSP/Tomcat Request.getParameter(“par”) First Perl(CGI)/Apache Param(“par”) First Python/Apache getvalue(“par”) All (List) •  There is nothing bad with it, if the developer is aware of this behavior •  Languages provide secure functions (python’s getfirst())
  • 15. HTTP Parameter Pollution •  An HTTP Parameter Pollution (HPP) attack occurs –  When a malicious parameter Pinj, preceded by an encoded query string delimiter (e.g. %26), is injected into an existing parameter Phost •  Typical scenario (client-side) –  Web application for election for two candidates
  • 16. HTTP Parameter Pollution Url : http://host/election.jsp?poll_id=4568 Link1: <a href="vote.jsp?poll_id=4568&candidate=white”> Vote for Mr.White </a> Link2: <a href="vote.jsp?poll_id=4568&candidate=green”> Vote for Mrs.Green </a> •  The two links are built from the URL ID = Request.getParameter(“pool_id”) href_link = “vote.jsp?poll_id=” + ID + ”&candidate=xyz” •  No sanitization
  • 17. HTTP Parameter Pollution •  poll_id is vulnerable and Attacker creates URL: http://host/election.jsp?poll_id=4568%26candidate%3Dgreen •  The resulting page now contains injected links: <a href=vote.jsp?pool_id=4568&candidate=green&candidate=white> Vote for Mr. White </a> <a href=vote.jsp?pool_id=4568&candidate=green&candidate=green> Vote for Mrs. Green </a> •  If the developer expects to receive a single value –  Jsp’s Request.getParameter(“candidate”)returns the 1st value –  The parameter precedence is consistent… •  Candidate Mrs. Green is always voted!
  • 18. Consequence •  Override existing (hardcoded) values •  Inject a new parameter •  Exploit a parameter out of a direct reach •  Client-side (user) or server-side (web- application) attack
  • 19. Parameter Pollution – More uses •  Cross-channel pollution –  HPP attacks can also be used to override parameters between different input channels (GET/POST/Cookie) –  Good security practice: accept parameters only from where they are supposed to be supplied •  HPP to bypass CSRF tokens –  E.g. Yahoo Mail client-side attack (di Paola & Carrettoni)
  • 20. Bonus •  By concatenating the same parameter multiple time •  Bypass WAFs input validation checks –  Exploit ASP concatenation behavior and inline comments –  Concatenate the attack payload after the WAF filtering Standard: show_user.aspx?id=5;select+1,2,3+from+users+where+id=1– Over HPP: show_user.aspx?id=5;select+1&id=2&id=3+from+users+where+id=1— Standard: show_user.aspx?id=5+union+select+*+from+users— Over HPP: show_user.aspx?id=5/*&id=*/union/*&id=*/select+*/*&id=*/from+users--
  • 21. System for HPP Detection •  Four main components: browser, crawler, two scanners
  • 22. Main Components   Instrumented browser fetches the web pages and renders their content –  Full support for client-side scripts (e.g. Javascript) and external resources (e.g. <embed>) –  Extracts all links and forms   Crawler communicates with browser, determines URLs to visit and forms to submit. Passes the information to two scanners   P-Scan: Determines page behavior when two parameters with the same name are injected   V-Scan: Tests and attempts to verify that site is vulnerable to HPP
  • 23. P-Scan: Analysis of the Parameter Precedence –  Analyzes a page to determine the precedence of parameters, when multiple occurrences of the same parameter are submitted –  Take parameter par1=val1, generate a similar value par1=new_val •  Page0 (original): app.php?par1=val1 •  Page1 (test 1) : app.php?par1=new_val •  Page2 (test 2) : app.php?par1=val1&par1=new_val –  How do we determine precedence? Naïve approach: •  Page0==Page2 -> precedence on first parameter •  Page1==Page2 -> precedence on second parameter
  • 24. P-Scan: Problem with the naïve approach •  In practice, naïve technique does not work well –  Applications are complex, much dynamic content (publicity banners, RSS feeds, ads, etc.) –  Hence, we perform pre-filtering to eliminate dynamic components (embedded content, applets, iframes, stylesheets, etc.) –  Remove all self-referencing URLs (as these change when parameters are inserted) –  We then perform different tests to determine similarity
  • 25. P-Scan: Tests •  Error test –  The application crashes, or return an “internal” error, when an identical parameter is injected multiple times –  Regexps from the sqlmap project •  Identity test –  Is the tested parameter considered by the application •  Page0=Page1=Page2 •  Base test –  Test assumes that the pre-filtering works perfectly (seldom the case)
  • 26. P-Scan: Tests •  Join test –  Are the two values are somehow combined together (e.g. ASP)? •  Fuzzy test –  It is designed to cope with pages whose dynamic components have not been perfectly sanitized –  Based on the Gestalt Pattern Matching algorithm –  Compute the similarity among the pages
  • 27. V-Scan: Testing for HPP vulnerabilities •  For every page, an innocuous URL-encoded parameter (nonce) is injected –  E.g., “%26foo%3Dbar” –  Then check if the “&foo=bar” string is included inside the URLs of links or forms in the answer page •  V-Scan starts by extracting the list PURL=[PU1,PU2,…PUn] of the parameters that are present in the page URL, and the list Pbody=[PB1,PB2,…PUm] of the parameters that are present in links or forms contained in the page body
  • 28. Where to inject the nonce •  PA = PURL ∩ PBody : set of parameters that appear unmodified in the URL and in the page content (links, forms) •  PB = p | p PURL p / PBody : URL parameters that do not appear in the page. Some of these parameters may appear in the page under a different name •  PC = p | p / PURL p PBody : set of parameters that appear somewhere in the page, but that are not present in the URL
  • 29. V-Scan: Special Cases •  E.g., one of the URL parameters (or part of it) is used as the entire target of a link •  Self-referencing links •  Similar issues with printing, sharing functionalities •  To reduce false positives, we use heuristics –  E.g., the injected parameter does not start with http:// –  Injection without URL-encoding
  • 30. Implementation – The PAPAS tool •  PAPAS: Parameter Pollution Analysis System •  The components communicate via TCP/IP sockets –  Crawler and Scanner are in Python –  The browser component has been implemented as a Firefox extension –  Advantage: We can see exactly how pages are rendered (cope with client-side scripts) –  Support for multiple sessions (parallelization)
  • 31. Implementation – The PAPAS tool •  PAPAS is fully customizable –  E.g., scanning depth, number of performed injections, page loading timeouts, etc. •  Three modes are supported –  Fast mode, extensive mode, assisted mode –  In assisted mode, authenticated areas of a site can be scanned as well
  • 32. Possible improvements •  PAPAS does not support the crawling of links embedded in active content –  E.g., flash •  Support additional encoding schemas (UTF-8, Double URL) •  PAPAS currently only focuses on client-side exploits where user needs to click on a link –  HPP is also possible on the server side – but this is more difficult to detect –  Analogous to detecting stored XSS
  • 33. Ethical Considerations •  Only client-side attacks. The server-side have the potential to cause harm •  We provided the applications with innocuous parameters (&foo=bar). No malicious code. •  Limited scan time (15min) and activity •  We immediately informed, when possible, the security engineers of the affected applications –  Thankful feedbacks
  • 34. Two set of experiments   We used PAPAS to scan a set of popular websites –  About 5,000 sites collected by the first 500 of Alexa’s main categories –  The aim: To quickly scan as many websites as possible and to see how common HPP flaws are   We then analyzed some of the sites we identified to be HPP-vulnerable in more detail
  • 35. The 5,016 tested sites Categories # of Tested Categories # of Tested Applications Applications Financial 110 Shopping 460 Games 300 Social Networking 117 Government 132 Sports 256 Health 235 Travel 175 Internet 698 University 91 News 599 Video 114 Organization 106 Others 1,401 Science 222
  • 36. Efficient assessment •  In 13 days, we tested 5,016 sites and more than 149,000 unique pages •  To maximize the speed, the scanner –  Crawled pages up to a distance of 3 from the homepage –  Considered links with at least one parameter (except for the homepage) –  Considered at max 5 instances for page (same page, different query string) –  We disabled pop-ups, images, plug-ins for active content technologies
  • 37. Evaluation – Parameter Precedence •  Database Errors –  Web developers does not seem conscious of the possibility to duplicate GET/POST parameters
  • 38. Evaluation – Parameter Precedence •  Parameter Inconsistency –  Sites developed using a combination of heterogeneous technologies (e.g. PHP and Perl) –  This is perfectly safe if the developer is aware of the HPP threat… this is not always the case
  • 39. Evaluation – HPP Vulnerabilities •  PAPAS discovered that about 1,500 (30%) websites contained at least one page vulnerable to HTTP Parameter Injection –  The tool was able to inject (and verify) an encoded parameter •  Vulnerable != Exploitable –  Is the parameter precedence consistent? –  Can a possible attacker override existing parameter values?
  • 40. Vulnerable or exploitable? •  Injection on link: –  Parameter in the middle -> always overriding –  Parameter at the begin/end -> automated check via P-Scan •  Injection on form: –  The injected value is automatically encoded by the browser –  Still, someone may be able to run a two-step attack (client-side) or a server-side attack
  • 41. Vulnerable or exploitable? •  702 applications are exploitable –  About 14% –  The injected parameter either overrides the value of an existing one or is accepted as “new parameter” •  E.g. A new action is injected Url: pool.pl?par1=val1%26action%3Dreset Link: target.pl?x=y&w=z&par1=val1&action=reset
  • 42. Evaluation •  More sensitive sites are equally (or even more) affected by the problem
  • 43. False Positives •  10 applications (1.12%) use the injected parameter as entire target for one link •  Variation of the special case we saw in slide 18 (V-Scan: special cases) –  The application applied a transformation to the parameter before using it as a link’s URL
  • 44. Some Case Studies •  We investigated some of the websites in more detail –  Among our “victims”: Facebook, Google, Symantec, Microsoft, PayPal, Flickr, FOX Video, VMWare, … –  We notified security officers and some of the problems were fixed –  Facebook: share component –  Several shopping cart applications could be manipulated to change the price of an item –  Some banks were vulnerable and we could play around with parameters –  Google: search engine results could be manipulated
  • 45.
  • 47.
  • 52. PAPAS Online Service •  5K websites tested –  30% sites are vulnerable: injectable parameters –  14% exploitable: possible to override or introduce arbitrary parameters/values •  What about mine? •  PAPAS @ http://papas.iseclab.org •  Free-to-use service •  Ownership token verification •  Configurable
  • 54. HPP Prevention •  Input validation –  Encoded query string delimiters •  Use safe methods –  Parameter precedence (ref. slide 14) –  Channel (GET/POST/Cookie) validation (ref. slide 19) •  Raise awareness –  The client can provide the same parameter twice (or more)
  • 55. Acknowledgments, References •  Co-joint work: –  M. Balduzzi, C. Torrano Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS’11, San Diego, CA. •  http://papas.iseclab.org/cgi-bin/resources.py •  Black Hat’s White Paper
  • 56. Conclusion   Presented the first technique and system to detect HPP vulnerabilities in web applications. •  We call it PAPAS, http://papas.iseclab.org   Conducted a large-scale study of the Internet •  About 5,000 web sites   Our results suggest that Parameter Pollution is a largely unknown, and wide-spread problem We hope our work will help raise awareness about HPP!
  • 57. Questions? embyte@iseclab.org