Hello! I have created a Google Chrome extension for detecting HPP vulnerabilities purely at the client-side. The idea is to use jQuery for parsing all hyperlinks and HTML forms that may include the same parameter multiple times. HPP Finder marks all suspicious hyperlinks and forms in a dashed frame and reports all of them in a pop-up, which is triggered upon clicking on the extension's icon. HPP Finder is not a complete solution for HPP attacks. It can only spot hyperlinks and forms that include parameters that mask one each other. It is also still in a very beta stage, since it's my first Chrome extension. You can find a demo page at: http://www.ics.forth.gr/~elathan/extra/hpp/index.html Any comments and suggestions are welcome. Regards, Elias -- I bet the human brain is a kludge. --Marvin Minsky

Hi Elias, > I have created a Google Chrome extension for detecting HPP > vulnerabilities purely at the client-side. The idea is to use jQuery > for parsing all hyperlinks and HTML forms that may include the same > parameter multiple times. HPP Finder marks all suspicious hyperlinks > and forms in a dashed frame and reports all of them in a pop-up, > which is triggered upon clicking on the extension's icon. I like the idea to have a client-side protection to HPP. By the way, I'm confident that the plug-in you propose may raise more false positives (e.g. form's checkbox) than protecting their users. I propose you to enhance the plug-in with a couple of ideas we can discuss offline. > HPP Finder is not a complete solution for HPP attacks. It can only > spot hyperlinks and forms that include parameters that mask one each > other. It is also still in a very beta stage, since it's my first > Chrome extension. You can find a demo page at: > > http://www.ics.forth.gr/~elathan/extra/hpp/index.html > > Any comments and suggestions are welcome. In the meantime, I'd prefer if you highlight my thought (see above) on your page. Marco -- bash$ :(){ :|:&};: Computer Science belongs to all Humanity! Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)

Hello! On Sun, May 15, 2011 at 8:57 PM, Marco Balduzzi <marco.balduzzi@iseclab.org>wrote: > Hi Elias, > > > I have created a Google Chrome extension for detecting HPP > > vulnerabilities purely at the client-side. The idea is to use jQuery > > for parsing all hyperlinks and HTML forms that may include the same > > parameter multiple times. HPP Finder marks all suspicious hyperlinks > > and forms in a dashed frame and reports all of them in a pop-up, > > which is triggered upon clicking on the extension's icon. > > I like the idea to have a client-side protection to HPP. > By the way, I'm confident that the plug-in you propose may raise more > false positives (e.g. form's checkbox) than protecting their users. > Yes, I am aware of that. This is why I stated that HPP Finder marks all *suspicious* links. > I propose you to enhance the plug-in with a couple of ideas we can > discuss offline. Feel free to contact me in person. Regards, -- I bet the human brain is a kludge. --Marvin Minsky