[WEB SECURITY] HTTP parameters fragmentation

Steven M. Christey coley at linus.mitre.org
Wed Aug 19 10:53:35 EDT 2009


I see this type of technique used *very* occasionally in milw0rm exploits
but am also interested to know if there is other terminology out there,
e.g. in WASC land.

In CWE vulnerability theory, we have a general term "facilitator
manipulation" that covers the modifications to an attack string that give
the attacker more fine control.  Your use of comment sequences would fall
under the notion of a "facilitator manipulation" that provides "syntactic
realignment" - i.e. makes sure the resulting query is well-formed so that
it will execute successfully.  Another example of a facilitator
manipulation might be using alphanumeric shellcode in a buffer overflow
exploit.

  http://cwe.mitre.org/documents/vulnerability_theory/intro.html#chap15

As we continue to build on the CAPEC (attack pattern) work and link with
CWE, our terminology might change or get refined, but for the time being
that's what I use.

- Steve

P.S. I'm suddenly in the mood for pad thai...

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list