[WEB SECURITY] HTTP parameters fragmentation

Dmitriy Evteev devteev at ptsecurity.com
Wed Aug 19 10:13:16 EDT 2009

While preparing an article about WAF bypassing methods, I found an
interesting way to bypass filters via HTTP parameters fragmentation. 


Vulnerable code example

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);


The following request doesn't allow to conduct an attack



The following request's succeeded using HPF



In the case, SQL request looks like

select * from table where a=1 union/* and b=*/select 1,2


Another example:

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." limit

Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." order
by ".$_GET['c']." limit 1");


Using HPF (HTTP Parameter Fragmentation), the request's succeeded:



The question is: is there any name for the technique? Please, advise me if
you know articles or experts in  the field (for example, I found a reference
voriteXSS-SLIDES.pdf, page 79). 

Thank you for help and cooperation in advance!


- - - - - - - - - - - - - - - 
Best Regards, Dmitry Evteev 
Positive Technologies Co. 
Tel.: (495) 744-0144 
Web: http://www.ptsecurity.ru


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/ecf29e34/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3169 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/ecf29e34/attachment.p7s>

More information about the websecurity mailing list