[WEB SECURITY] HTTP parameters fragmentation

lavakumar kuppan lavakumar.in at gmail.com
Wed Aug 19 16:18:13 EDT 2009


Not really.When multiple parameters of the same name are sent in a single
request, different web technologies(ASP,ASP.NET, Java, Python, Perl, PHP
etc) handle it differently.
This is a problem with the implementation of the HTTP protocol on these
technologies. This is what HPP deals with.

And when it comes to WAF bypass with HPP, the problem is the failure of WAF
to mimic the server technology's HTTP implementation, causing
an impedance mismatch.


Dmitriy's method does not exploit impedance mismatch or weakness of the HTTP
implementaion.
Instead it is a clever way to exploit a specific type of SQL injection
vulnerability(involving two vulnerable parameters in the same query) by
splitting the payload so that it cannot be filtered by the WAF but can still
be executed by the server.

Though superficially the two techniques appear to be similar, they are
exploiting weaknesses in two different areas.
The user of inline-comments to join the parts of the payload is what is
common here.

This would classify as payload obfuscation IMHO

Cheers,
Lava
http://www.lavakumar.com

On Thu, Aug 20, 2009 at 12:29 AM, Prasad Shenoy <prasad.shenoy at gmail.com>wrote:

> Steve Pinkham nailed it I guess. It is a form of HPP? No?
>
> P. N. Shenoy
>
> On Wed, Aug 19, 2009 at 1:02 PM, lavakumar kuppan <lavakumar.in at gmail.com>wrote:
>
>> Hi Dmitriy,
>>
>> That is very interesting. It very closely resembles the ModSecurity Filter
>> Bypass that I had discovered sometime back.
>> There is just one small difference, I was using the same parameter
>> multiple times(HTTP Parameter Pollution) while you are using multiple
>> parameters, nice trick!
>>
>> I had written a whitepaper on the same, you can find it at
>> http://lavakumar.com/Split_and_Join.pdf
>> The ModSecurity advisory is at http://lavakumar.com/modsecurity_hpp.txt
>>
>> You can find more information about HPP at
>> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
>>
>> Hope this helps.
>>
>> Cheers,
>> Lava
>> http://www.lavakumar.com
>>
>>
>> 2009/8/19 Dmitriy Evteev <devteev at ptsecurity.com>:
>>
>> > While preparing an article about WAF bypassing methods, I found an
>> > interesting way to bypass filters via HTTP parameters fragmentation.
>> >
>> >
>> >
>> > Vulnerable code example
>> >
>> > Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']);
>> >
>> >
>> >
>> > The following request doesn’t allow to conduct an attack
>> >
>> > index.php?a=1+union+select+1,2/*
>> >
>> >
>> >
>> > The following request’s succeeded using HPF
>> >
>> > index.php?a=1+union/*&b=*/select+1,2
>> >
>> >
>> >
>> > In the case, SQL request looks like
>> >
>> > select * from table where a=1 union/* and b=*/select 1,2
>> >
>> >
>> >
>> > Another example:
>> >
>> > Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']."
>> limit
>> > ".$_GET['c']);
>> >
>> > Query("select * from table where a=".$_GET['a']." and b=".$_GET['b']."
>> order
>> > by ".$_GET['c']." limit 1");
>> >
>> >
>> >
>> > Using HPF (HTTP Parameter Fragmentation), the request’s succeeded:
>> >
>> > index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
>> >
>> >
>> >
>> > The question is: is there any name for the technique? Please, advise me
>> if
>> > you know articles or experts in  the field (for example, I found a
>> reference
>> > in
>> >
>> http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf
>> ,
>> > page 79).
>> >
>> > Thank you for help and cooperation in advance!
>> >
>> >
>> >
>> > - - - - - - - - - - - - - - -
>> > Best Regards, Dmitry Evteev
>> > Positive Technologies Co.
>> > Tel.: (495) 744-0144
>> > Web: http://www.ptsecurity.ru
>> >
>> >
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090820/4c3f0a17/attachment.html>


More information about the websecurity mailing list