Marco Balduzzi marco.balduzzi at iseclab.org
Sun May 15 13:57:17 EDT 2011

Hi Elias,

> I have created a Google Chrome extension for detecting HPP
> vulnerabilities purely at the client-side. The idea is to use jQuery
> for parsing all hyperlinks and HTML forms that may include the same
> parameter multiple times. HPP Finder marks all suspicious hyperlinks
> and forms in a dashed frame and reports all of them in a pop-up,
> which is triggered upon clicking on the extension's icon.

I like the idea to have a client-side protection to HPP.
By the way, I'm confident that the plug-in you propose may raise more
false positives (e.g. form's checkbox) than protecting their users.

I propose you to enhance the plug-in with a couple of ideas we can
discuss offline.

> HPP Finder is not a complete solution for HPP attacks. It can only
> spot hyperlinks and forms that include parameters that mask one each
> other. It is also still in a very beta stage, since it's my first
> Chrome extension. You can find a demo page at:
> http://www.ics.forth.gr/~elathan/extra/hpp/index.html
> Any comments and suggestions are welcome.

In the meantime, I'd prefer if you highlight my thought (see above)
on your page.

bash$ :(){ :|:&};: Computer Science belongs to all Humanity! 
Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc
Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)

More information about the websecurity mailing list