Prajwal Tuladhar’s Blog
 
programming, life and some random thoughts

Aug 06 2009

HTTP Parameter Pollution – A new kind of attack

Published by at 11:54 pm under security

Okay, I definitely haven’t heard this term (HTTP Parameter Pollution) in the past. I came accross this post, and was quite amazed by the potential of this new breed of attack. It makes use of HTTP Query String by overriding the query key-value pairs. As we know that, this type of URL is perfectly valid:

http://domain.com?par1=value1&par1=value2

But the way, these type of query strings where a key has multiple values are interpreted in different way by respective environments. For example:

  • ASP.NET / ASP using IIS interprets the above query string as par1=value1,value2
  • PHP using Apache interprets the above query string as par1[0]=value1; par1[1]=value2

In order to get detail information about such attack, I strongly recommend you to view the slides:

Unusual behaviors are a usual source of security weaknesses.
Enjoy the slide!

3 responses so far

3 Responses to “HTTP Parameter Pollution – A new kind of attack”

  1. # Wordpress remote admin reset password patch | Prajwal Tuladhar's Blogon 17 Aug 2009 at 4:01 pm

    [...] exploit is the typical example of HTTP Parameter Pollution. If you haven’t gone thru the slide, I recommed you to have a look. The problem is that HPP [...]

  2. # tavrejon 28 Aug 2009 at 12:29 am

    hi Prajwal, so some original research on Stefano activities,

  3. # tavrejon 28 Aug 2009 at 5:29 am

    hi Prajwal, so some original research on Stefano activities,

RSS Feed
Subscribe by email
Follow me @ Twitter