[WEB SECURITY] HTTP parameters fragmentation

lavakumar kuppan lavakumar.in at gmail.com
Thu Aug 20 14:12:44 EDT 2009


Nice, think this answers Steve's question.
It might be a little harder to extend the same technique to SQL Injection I
think.
Unlike XSS where we can see the placement of the entire output, in SQL the
structure of the query has to be guessed and that might make it relatively
complicated.

However, like your book suggests this might come handy in overcoming length
limitations in addition to WAF bypass.
So it surely looks like its worth the extra effort in somecases.

Cheers,
Lava
http://www.lavakumar.com

On Thu, Aug 20, 2009 at 12:41 PM, PortSwigger <mail at portswigger.net> wrote:

> For what it's worth, there is an example of using inline comments to span
> an
> XSS attack across multiple different parameters on p412 of The Web
> Application Hacker's Handbook.
>
> Cheers
> PortSwigger
>
> -----Original Message-----
> From: Steve Pinkham [mailto:steve.pinkham at gmail.com]
> Sent: 19 August 2009 21:30
> To: lavakumar kuppan; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] HTTP parameters fragmentation
>
> I agree. If it's two different parameters, it's not quite the same as
> HPP.  Somehow glanced over that detail ;-) On the other hand, some of
> the effects of HPP are similar to what you describe.
>
> It's not really a novel technique, I've used it in the past to get
> around XSS filters,  but I'm at a loss for a definitive place to point
> for documentation on the issue.
> Anyone?
>
> Steve
> lavakumar kuppan wrote:
> > Not really.
> > When multiple parameters of the same name are sent in a single request,
> > different web technologies(ASP,ASP.NET <http://ASP.NET>, Java, Python,
> > Perl, PHP etc) handle it differently.
> > This is a problem with the implementation of the HTTP protocol on these
> > technologies. This is what HPP deals with.
> >
> > And when it comes to WAF bypass with HPP, the problem is the failure of
> > WAF to mimic the server technology's HTTP implementation, causing
> > an impedance mismatch.
> >
> >
> > Dmitriy's method does not exploit impedance mismatch or weakness of the
> > HTTP implementaion.
> > Instead it is a clever way to exploit a specific type of SQL injection
> > vulnerability(involving two vulnerable parameters in the same query) by
> > splitting the payload so that it cannot be filtered by the WAF but can
> > still be executed by the server.
> >
> > Though superficially the two techniques appear to be similar, they are
> > exploiting weaknesses in two different areas.
> > The user of inline-comments to join the parts of the payload is what is
> > common here.
> >
> > This would classify as payload obfuscation IMHO
> >
> > Cheers,
> > Lava
> > http://www.lavakumar.com
> >
> > On Thu, Aug 20, 2009 at 12:29 AM, Prasad Shenoy <prasad.shenoy at gmail.com
> > <mailto:prasad.shenoy at gmail.com>> wrote:
> >
> >     Steve Pinkham nailed it I guess. It is a form of HPP? No?
> >
> >     P. N. Shenoy
> >
> >     On Wed, Aug 19, 2009 at 1:02 PM, lavakumar kuppan <lavakumar.in
> >     <http://lavakumar.in>@gmail.com <http://gmail.com>> wrote:
> >
> >         Hi Dmitriy,
> >
> >         That is very interesting. It very closely resembles the
> >         ModSecurity Filter Bypass that I had discovered sometime back.
> >         There is just one small difference, I was using the same
> >         parameter multiple times(HTTP Parameter Pollution) while you are
> >         using multiple parameters, nice trick!
> >
> >         I had written a whitepaper on the same, you can find it at
> >         http://lavakumar.com/Split_and_Join.pdf
> >         The ModSecurity advisory is at
> >         http://lavakumar.com/modsecurity_hpp.txt
> >
> >         You can find more information about HPP
> >         at
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
> >
> >         Hope this helps.
> >
> >         Cheers,
> >         Lava
> >         http://www.lavakumar.com <http://www.lavakumar.com/>
> >
> >
> >         2009/8/19 Dmitriy Evteev <devteev at ptsecurity.com
> >         <mailto:devteev at ptsecurity.com>>:
> >
> >          > While preparing an article about WAF bypassing methods, I
> >         found an
> >          > interesting way to bypass filters via HTTP parameters
> >         fragmentation.
> >          >
> >          >
> >          >
> >          > Vulnerable code example
> >          >
> >          > Query("select * from table where a=".$_GET['a']." and
> >         b=".$_GET['b']);
> >          >
> >          >
> >          >
> >          > The following request doesn't allow to conduct an attack
> >          >
> >          > index.php?a=1+union+select+1,2/*
> >          >
> >          >
> >          >
> >          > The following request's succeeded using HPF
> >          >
> >          > index.php?a=1+union/*&b=*/select+1,2
> >          >
> >          >
> >          >
> >          > In the case, SQL request looks like
> >          >
> >          > select * from table where a=1 union/* and b=*/select 1,2
> >          >
> >          >
> >          >
> >          > Another example:
> >          >
> >          > Query("select * from table where a=".$_GET['a']." and
> >         b=".$_GET['b']." limit
> >          > ".$_GET['c']);
> >          >
> >          > Query("select * from table where a=".$_GET['a']." and
> >         b=".$_GET['b']." order
> >          > by ".$_GET['c']." limit 1");
> >          >
> >          >
> >          >
> >          > Using HPF (HTTP Parameter Fragmentation), the request's
> >         succeeded:
> >          >
> >          > index.php?a=1+union/*&b=*/select+1,2,pass/*&c=*/from+users--
> >          >
> >          >
> >          >
> >          > The question is: is there any name for the technique? Please,
> >         advise me if
> >          > you know articles or experts in  the field (for example, I
> >         found a reference
> >          > in
> >          >
> >
>
> http://www.blackhat.com/presentations/bh-usa-09/VELANAVA/BHUSA09-VelaNava-Fa
> voriteXSS-SLIDES.pdf,
> >          > page 79).
> >          >
> >          > Thank you for help and cooperation in advance!
> >          >
> >          >
> >          >
> >          > - - - - - - - - - - - - - - -
> >          > Best Regards, Dmitry Evteev
> >          > Positive Technologies Co.
> >          > Tel.: (495) 744-0144
> >          > Web: http://www.ptsecurity.ru <http://www.ptsecurity.ru/>
> >          >
> >          >
> >
> >
> >
>
>
> --
>  | Steven E. Pinkham                      |
>  | Security Researcher, Maven Security    |
>  | steve.pinkham at mavensecurity.com        |
>  | GPG public key ID CD31CAFB             |
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090820/16217730/attachment.html>


More information about the websecurity mailing list