[WEB SECURITY] HTTP parameters fragmentation

Steven M. Christey coley at linus.mitre.org
Wed Aug 19 10:53:35 EDT 2009

I see this type of technique used *very* occasionally in milw0rm exploits
but am also interested to know if there is other terminology out there,
e.g. in WASC land.

In CWE vulnerability theory, we have a general term "facilitator
manipulation" that covers the modifications to an attack string that give
the attacker more fine control.  Your use of comment sequences would fall
under the notion of a "facilitator manipulation" that provides "syntactic
realignment" - i.e. makes sure the resulting query is well-formed so that
it will execute successfully.  Another example of a facilitator
manipulation might be using alphanumeric shellcode in a buffer overflow


As we continue to build on the CAPEC (attack pattern) work and link with
CWE, our terminology might change or get refined, but for the time being
that's what I use.

- Steve

P.S. I'm suddenly in the mood for pad thai...

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list