Hello!
I have created a Google Chrome extension for detecting HPP vulnerabilities
purely at the client-side. The idea is to use jQuery for parsing all
hyperlinks and HTML forms that may include the same parameter multiple
times. HPP Finder marks all suspicious hyperlinks and forms in a dashed
frame and reports all of them in a pop-up, which is triggered upon clicking
on the extension's icon.
HPP Finder is not a complete solution for HPP attacks. It can only spot
hyperlinks and forms that include parameters that mask one each other. It is
also still in a very beta stage, since it's my first Chrome extension. You
can find a demo page at:
http://www.ics.forth.gr/~elathan/extra/hpp/index.html
Any comments and suggestions are welcome.
Regards,
Elias
--
I bet the human brain is a kludge. --Marvin Minsky
Hi Elias,
I have created a Google Chrome extension for detecting HPP
vulnerabilities purely at the client-side. The idea is to use jQuery
for parsing all hyperlinks and HTML forms that may include the same
parameter multiple times. HPP Finder marks all suspicious hyperlinks
and forms in a dashed frame and reports all of them in a pop-up,
which is triggered upon clicking on the extension's icon.
I like the idea to have a client-side protection to HPP.
By the way, I'm confident that the plug-in you propose may raise more
false positives (e.g. form's checkbox) than protecting their users.
I propose you to enhance the plug-in with a couple of ideas we can
discuss offline.
HPP Finder is not a complete solution for HPP attacks. It can only
spot hyperlinks and forms that include parameters that mask one each
other. It is also still in a very beta stage, since it's my first
Chrome extension. You can find a demo page at:
http://www.ics.forth.gr/~elathan/extra/hpp/index.html
Any comments and suggestions are welcome.
In the meantime, I'd prefer if you highlight my thought (see above)
on your page.
bash$ :(){ :|:&};: Computer Science belongs to all Humanity!
Icq uin: #48790142 - PGP Key www.madlab.it/pgpkey/embyte.asc
Fingerprint 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA)
Hello!
On Sun, May 15, 2011 at 8:57 PM, Marco Balduzzi
marco.balduzzi@iseclab.orgwrote:
Hi Elias,
I have created a Google Chrome extension for detecting HPP
vulnerabilities purely at the client-side. The idea is to use jQuery
for parsing all hyperlinks and HTML forms that may include the same
parameter multiple times. HPP Finder marks all suspicious hyperlinks
and forms in a dashed frame and reports all of them in a pop-up,
which is triggered upon clicking on the extension's icon.
I like the idea to have a client-side protection to HPP.
By the way, I'm confident that the plug-in you propose may raise more
false positives (e.g. form's checkbox) than protecting their users.
Yes, I am aware of that. This is why I stated that HPP Finder marks all
suspicious links.
I propose you to enhance the plug-in with a couple of ideas we can
discuss offline.
Feel free to contact me in person.
I bet the human brain is a kludge. --Marvin Minsky