THP Wisec USH DigitalBullets TheHackersPlace network
The WIse SECurity
Wisec Home SecSearch Projects Papers Security Thoughts
News Search on Wisec

Security Thoughts

[ Back ]

Tuesday, May 19, 2009, 12:06

Http Parameter Pollution a new web attack category (not just a new buzzword :p)

On May 14th @ 2009OWASP Appsec Poland, me & Luca Carettoni presented a new attack category called Http Parameter Pollution (HPP).

HPP attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:

  • Override existing hardcoded HTTP parameters.
  • Modify the application behaviors.
  • Access and, potentially exploit, uncontrollable variables.
  • Bypass input validation checkpoints and WAFs rules.

Just to whet your appetite, I can anticipate that by researching for real world HPP vulnerabilities, we found issues on some Google Search Appliance front-end scripts,, Yahoo! Mail Classic and several other products.

You can download the slides of the talk here (pdf) or browse it on Slideshare .

Also, we'll soon release a whitepaper in order to clarify all details about HPP.

As last news, in a few days the video of "Yahoo! Classic Mail" exploitation of Client Side HPP will be available on this blog.
So...stay tuned and bon appetit!


Pierre Ernst, Friday, May 22, 2009, 17:06

This type of attacks seems to be related to CWE-235


Stefano, Friday, May 22, 2009, 17:49

Pierre, thanks for the reference, we'll add it to the whitepaper.

Just one word about your sentence:
"This type of attacks"

HPP is actually referred to three variants:
1. Client Side
2. Server Side
3. Waf Bypass

Just for clarity, you are referring to the 3. Waf Bypass variant.
As you and other researchers have stated the 3rd variant was partially already known (even if not quite popular imho).
We will give the right references to the authors.



Jeremy, Wednesday, May 27, 2009, 16:24

So what about "Value Shadowing" that has been cited by at least one major static analyzer for a while now? Do a google search on it.


Stefano, Thursday, May 28, 2009, 10:12


first of all, let me say that you have probably read the first 10 slides only, and then you stopped.
In fact, HPP is (I'll never be tired of saying it) actually referred to three variants:
1. Client Side
2. Server Side
3. WAFs Bypass

About your specific question, you are probably mentioning:
hxxp :// dotnet/value_shadowing_server_variable.html

I want to cite it:
"The program accesses a server variable in an ambiguous way, which can leave it open to attack. "
Quite generic, huh?
Let's talk about the description of the bypass, reported in the Fortify page. The issue is nonsense since the bypass can be easily performed by simply

curl "" -ki -H "Referer: http ://"

Even if the code is using the right access to the referrer.

This has nothing to do with HPP in the form we have shown during our presentation.
Please, read once again the slides and come back with any point we stated that is actually connected with HPP.

That said, also EGPCS (Environment, GET, POST, Cookie, Server) order, GPC $REQUEST order and register_globals are known in their security side effects since PHP became a widely used language.

The order by which a server uses a value instantiated by a parameter is _only_ a part of the real issue which is about exploiting HTTP parameter injections and WAFs Bypassing (multiple layers).
Speaking about HPP, you have to consider two things: (a) input validation flaw against QueryString delimiters and (b) HTTP back-ends behaviors. As said, (b) is a matter of exploitability only.

If you have missed the HTTP Parameter Pollution FAQs, please read it.

As a final note, there's been some discussions on web security mailing lists about what you call value shadowing and Ivan Ristic calls "impedance mismatch" or "incompatible parameter parsing" and the use of them in terms of HPP. Probably you'll find some more specific answer by reading them.


satyajit das, Tuesday, August 11, 2009, 10:09

good description, we expect more

Comments are disabled

Admin login | This weblog is from

Wisec is brought to you by...

Wisec is written and mantained by Stefano Di Paola.

Wisec uses open standards, including XHTML, CSS2, and XML-RPC.

All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.