HTTPParameter Pollution. ChrysostomosDaniel



Similar documents
HTTP Parameter Pollution. OWASP EU09 Poland. The OWASP Foundation. Luca Carettoni Independent Researcher

Web Application Security

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Web Vulnerability Scanner by Using HTTP Method

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

Check list for web developers

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

The only False Positive Free. Web Application Security Scanner

Web Application Guidelines

Using Free Tools To Test Web Application Security

(WAPT) Web Application Penetration Testing

The Top Web Application Attacks: Are you vulnerable?

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Application security testing: Protecting your application and data

Where every interaction matters.

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web-Application Security

Cross-Site Scripting

Are AJAX Applications Vulnerable to Hack Attacks?

Leveraging User Interactions for In-Depth Testing of Web Applications

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

CMP3002 Advanced Web Technology

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Security features of ZK Framework

How to Rob an Online Bank (and get away with it)

Intrusion detection for web applications

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Security

Criteria for web application security check. Version

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

APPLICATION SECURITY AND ITS IMPORTANCE

Introduction to Computer Security

Columbia University Web Security Standards and Practices. Objective and Scope

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

HP WebInspect Tutorial

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

Rational AppScan & Ounce Products

Evaluation of Web Security Mechanisms Using Inline Scenario & Online Scenario

Sitefinity Security and Best Practices

Magento Security and Vulnerabilities. Roman Stepanov

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

A Tale of the Weaknesses of Current Client-side XSS Filtering

Web Application Vulnerabilities and Avoiding Application Exposure

Introduction: 1. Daily 360 Website Scanning for Malware

Secure Web Development Teaching Modules 1. Threat Assessment

Common Security Vulnerabilities in Online Payment Systems

Hack Proof Your Webapps

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Project 2: Web Security Pitfalls

Web Application Security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

CTF Web Security Training. Engin Kirda

HackMiami Web Application Scanner 2013 PwnOff

Annex B - Content Management System (CMS) Qualifying Procedure

A Tale of the Weaknesses of Current Client-Side XSS Filtering

05.0 Application Development

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Chapter 1 Web Application (In)security 1

Security Evaluation of Web Application. Using Custom Web Application

Ethical Hacking as a Professional Penetration Testing Technique

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Abusing Internet Explorer 8's XSS Filters

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Passing PCI Compliance How to Address the Application Security Mandates

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Understanding Web Application Security Issues

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

What is Web Security? Motivation

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing

Client logo placeholder XXX REPORT. Page 1 of 37

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Last update: February 23, 2004

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

How To Fix A Web Application Security Vulnerability

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

STABLE & SECURE BANK lab writeup. Page 1 of 21

A Survey on Threats and Vulnerabilities of Web Services

Complete Cross-site Scripting Walkthrough

The Security Development Life Cycle

Web Application Attacks And WAF Evasion

Transcription:

HTTPParameter Pollution ChrysostomosDaniel

Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider server (such as Servlets). As time goes by, there is the need for web applications to provide a multitude of services to their users while at the same time being consistent with functionality, interactivity and ease of use. For this reason, even the simplest web application may possibly obtain and process a plethora of different HTTP parameters. This could result in the exposure of an extensive variety of input validation or injection vulnerabilities, such as Cross-site Scripting, SQL Injection and Command Injection, waiting to be manipulated and exploited. These web vulnerabilities are now ordinary and there has been a lot of research around them which has helped the web application field to be more secure. Nevertheless, a vulnerability that has been around for a long time has only now begun to raise alertness in the web security world - HTTP Parameter Pollution (HPP). This vulnerability was first presented by Stefano di Paola and Luca Carettoni in 2009 at the OWASP Poland conference. The fact that this vulnerability has been around for a long time means that numerous vulnerabilities affecting or targeting real-world applications have been discovered. HTTP Parameter Pollution (HPP) in detail HTTP Parameter Pollution, as implied by the name, pollutes the HTTP parameters of a web application in order to perform or achieve a specific malicious task/attack different from the intended behavior of the web application. This hacking technique is considered to be simple, but quite effective. Furthermore, the main reason this attack can be realized is because the input is not get sanitized properly. HPP injects encoded query string delimiters in existing or other HTTP parameters (i.e. GET/POST/Cookie), which make it feasible to supersede parameter values that already exist to inject a new parameter or exploit variables from direct access. This attack affects all web technologies, whether running client-side or server-side. Generally, an attacker can use HPP vulnerabilities to: Supersede existing hardcoded HTTP parameters. Alter or modify the intended/normal application behavior. Access and potentially exploit variables that are not been controlled properly. Bypass WAFs rules or input validation mechanisms. Thus, if a web application is vulnerable to HPP attacks, the security of the web application is compromised, giving an attacker an easy way to perform malicious or illegal activities. Web Technologies HTTP allows the submission of the same parameter more than once. The manipulation of the value of each parameter depends on how each web technology is parsing these parameters. So, what happens if the same parameter is provided more than one time? 1

Some web technologies parse the first or the last occurrence of the parameter, some concatenate all the inputs and others will create an array of parameters. Below is a table showing how each web technology is parsing different values of the same parameters at the server-side. [Reference: HTTP Parameter Pollution OWASP EU09 Poland presentation; https://www.owasp.org/images/b/ba/appseceu09_carettonidipaola_v0.8.pdf] The following examples show how the web technology of a web application is triggering or parsing same parameters in one query. The first example on how parameters are triggered can be shown below using Google search engine. In Google you can have the following query; http://www.google.com/search?q=web&q=application&q=security 2

As shown in the above screenshot, the same parameter q is being used three times. In this case, Google concatenates the three values with a space in-between, thus the end result will be web application security. A second example is with the search engine Yahoo!. The following query has been used: http://search.yahoo.com/search;_ylt=ajxtx6dkisks1pjefg6zsmwbvzx4?p=web&p=application&p=security Having the same three parameters as with the previous example, it is shown that Yahoo! is only parsing the last parameter, thus the end result will be security. 3

This shows clearly how each technology is differently parsing the value parameters. The way each technology is parsing the parameters is not wrong, as long as the developer is aware of it. If the developer is not aware of this behavior or parameter triggering, then this can be dangerous for the web application. In addition, web technologies/languages have several secure functions that allow them to protect themselves by being able to control and manipulate these kinds of input parameters. Client-side and Server-Side HTTP Parameter Pollution can be classified in two categories - client-side or server-side. Each technology is parsing parameters differently, thus different attacks can be realized. This, depending on the way it is being triggered, enables client-side or server-side attacks. Moreover, in each case the parameters are manipulated accordingly to perform hacking activities at the front-end (client) or the back-end (server) of the web application. Client-side HTTP Parameter Pollution vulnerability The HTTP Parameter Pollution (HPP) Client-side attack has to do with the client or user environment, meaning that the user s actions (i.e. access a link in a browser) are affected and will trigger a malicious or unintended action without the user s knowledge. HPP Client-side attacks can be reflected HPP (such as an injection of additional parameters to URL links and/or other src attributes), stored HPP (which can be functional on all tags with data, src, and href attributes) and action forms with POST method. Another HPP client-side attack is the DOM-based attack which has to do mostly with parsing unexpected parameters and the realization of client-side HPP using JavaScript. Obviously, the ability or capacity of the injection depends on the attributes of the link and its functionalities. Nevertheless, the main aim is to generate HPP attacks on the client side. An example of a typical HPP client-side attack includes a website that is vulnerable to HPP and a group of victims that will interact with the vulnerable website. An attacker, after identifying a vulnerable website, will create a vulnerable link with its HTTP parameters polluted and will send this link or make it publicly available through emails or social networks for naive and unsuspecting victims to click on. After the victims have clicked on it, the intended malicious behavior will be performed, affecting the users and the web application (application providers). 4

The following scenario is a webmail service website from where a user can view and delete his/her emails. The URL of the webmail website is: http://host/viewemail.jsp?client_id=79643215 The link to view an email is <a href="viewemail.jsp?client_id=79643215&action=view > View </a> The link to delete an email is: <a href="viewemail.jsp?client_id=79643215&action=delete > Delete </a> When the user clicks on either of the above links, the appropriate action will be performed. The two links are built from the URL. The ID will be requested and will be embedded/added in the href link together with the according action. Thus: ID = Request.getParameter( client_id ) href_link = viewemail.jsp?client_id= + ID + &action=abc This web application, and more precisely the client_id, is vulnerable to HPP. As seen below, an attacker creates a URL and injects another parameter action preceded by an encoded query string delimiter (e.g. %26) after the client_id parameter. This parameter holds the value delete : http://host/viewemailn.jsp?client_id=79643215%26action%3ddelete After the creation of the malicious link, the page now contains two links which are injected with an extra action parameter. Thus: <a href=viewemail.jsp?client_id=79643215&action=delete&action=view > View </a> <a href=viewemail.jsp?client_id=79643215&action=delete&action=delete > Delete </a> As shown in the table above, JSP will parse the two same parameters (action) and will return the first value. The JSP query Request.getParameter( action ) will return delete in both cases. Thus, the user will click either of the two links, View or Delete, but the action Delete will always be performed. This is a simple example how an attacker can exploit an HTTP Parameter Pollution vulnerable website and cause malicious code to run or be executed without being detected. Server-side HTTP Parameter Pollution vulnerability In the HPP Server-side the back-end environment of the web application will be affected. The attacker using HPP attacks will try to exploit the logic of the vulnerable web application by sending a triggered, or polluted URL, for example to access the database of a web application. HPP Server-side can be also used to bypass several web application firewalls (WAFs) rules. Some WAFs only validate a single parameter occurrence, such as the first or the last one. In a case where the web technology concatenates the value of multiple parameters which are the same, such as ASP.NET/IIS, then an attacker can split the malicious code into those occurrences thus bypassing the security mechanism or rules of the web application firewall. 5

Moreover, URL rewriting can occur using HPP. For instance, an attacker can inject an encoded query string in order to cause the URL to be rewritten. An example can be seen below: Encoded string: http://host/xyz%26page%3dedit Rewritten URL: http://host/page.php?page=view&page=xyz&action=edit&id=0 As mentioned before, the capability of the injection depends on the attributes of the link and its exposed functionalities. HPP Server-side attacks can also be used for cross-channel pollution and to bypass CSRF tokens. In order to better understand the server-side HPP attack, the following example will try to explain how this attack can bypass web application firewall rules or signature-based filters using concatenation of parameters with the same values. The following URL/request is send to the server: http://testaspnet.vulnweb.com/test/vuln.cgi?par1=val1&par2=val2 The web server will parse the above query and will split it into pairs (name/value) in order to be manipulated or used by the web application. Thus, the web application will take par1 and par2 with values val1 and val2 respectively. If the web application is vulnerable to HPP attacks, an attacker could exploit it and submit a malicious payload. Take the following case: http://testaspnet.vulnweb.com/test/vuln.cgi?par1=val1&par1=val2 You can see that there are two par1 parameters, each holding two different values. In this case how is the application going to trigger this? It depends on the web technology, as seen in the Web Technologies section above. Because of the different handling methods of parameters, hackers can control them in order to avoid security mechanisms and attack the web application. In another example, where the web technology is ASP.NET/IIS, a hacker can send the following request to the server: http://testaspnet.vulnweb.com/test/vuln.cgi?par1=<script&par1=prompt.... > Since ASP.NET/IIS concatenates the values of the same parameters, the end result will be <script prompt >. Consequently, an attacker can expand this into a complete cross-site scripting attack. If there is an installed Web Application Firewall in front of this application then it will check each occurrence of the parameter separately against the rules for injection attacks. As a result, the web application firewall will check the first parameter par1=<script, which will not match any of the injection attack rules since this is not a malicious payload. Then it will make the same check for the second parameter which equals par2=src=. Again, this is not considered as a dangerous payload and will not raise any alerts. Nevertheless, as mentioned before, ASP.NET/IIS will concatenate these values, based on how the technology parses these occurrences, resulting in executing an XSS attack (if it was expanded in a complete XSS payload). 6

This is an example how an attacker can bypass some web application firewalls rules using HPP, enabling further attacks. Countermeasures / Prevention In order to prevent these kinds of vulnerabilities, an extensive and proper input validation should be performed. There are safe methods to conform to with each web technology/language. Moreover, awareness about the fact that clients/users can provide more than one parameter should be raised. Conclusion An injection attack that has been around for some years but never raised any alertness and didn t particularly intrigue the security world, has come to enlighten the web security industry to the fact that these kind of injection attacks should never be underestimated, and that the lack of standardization of the different parsing methods each web technology encompasses, together with complexity, might lead to vulnerabilities. HTTP Parameter Pollution takes advantage of the fact that HTTP allows more than one of the same parameters to be used, which causes some web applications, based on their web technology and how these trigger HTTP parameters, to be exposed and to be exploited by malicious users. HPP is a simple yet quite effective hacking technique which affects both client-side and server-side environments. When exploited, the impact of an HPP vulnerability depends on the functionality of the web application. It has been made clear that this vulnerability, despite its simplicity, can be very dangerous and can compromise your website s security systems. Proper checks should be performed in order to determine if your site is vulnerable to HPP attacks in order to limit the possibilities and decrease the opportunities that hackers can exploit that could lead to a breach of the Confidentiality, Integrity and Availability of your site. Scanning for HTTP Parameter Pollution with Acunetix Web Vulnerability Scanner! Acunetix Web Vulnerability Scanner Version 8 scans any website or web application for HTTP Parameter Pollution vulnerabilities, reveals the relevant information for the user, such as the vulnerability location and suggests remediation techniques. Scanning for HPP is normally a quick process (depending on the size of the web-site). The images below demonstrate how Acunetix Web Vulnerability Scanner crawls, scans and detects a site which is vulnerable to HTTP Parameter Pollution. 7

Acunetix Web Vulnerability Scanner Version 8 scans against HPP vulnerabilities, reporting the location of the vulnerability, the HTTP headers and HTML response with information regarding the HPP vulnerability and how this can be remediated. 8

About Acunetix Web Vulnerability Scanner Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross-Site Scripting and other vulnerabilities. The scanner checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. Detailed reports resulting from the scan identify where vulnerabilities exist. The Acunetix WVS Reporting Application allows security alerts to be presented in a document which abides by the PCI Compliance specification. About Acunetix Acunetix is a market leader in web application security technology, founded to combat the alarming rise in web attacks. Its flagship product, Acunetix Web Vulnerability Scanner, is the result of several years of work by a team of highly experienced security developers. Acunetix customers include the US Army, US Airforce, AT&T, KPMG, Telstra, Fujitsu, and Adidas. More information can be found here http://www.acunetix.com/. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information