The WIse SECurity
[ Back ]
Tuesday, May 19, 2009, 12:06
Http Parameter Pollution a new web attack category (not just a new buzzword :p)
On May 14th @ 2009OWASP Appsec Poland, me & Luca Carettoni presented a new attack category called Http Parameter Pollution (HPP).
Just to whet your appetite, I can anticipate that by researching for real world HPP vulnerabilities, we found issues on some Google Search Appliance front-end scripts, Ask.com, Yahoo! Mail Classic and several other products.
You can download the slides of the talk here (pdf) or browse it on Slideshare .
Also, we'll soon release a whitepaper in order to clarify all details about HPP.
As last news, in a few days the video of "Yahoo! Classic Mail" exploitation of Client Side HPP will be available on this blog.
So...stay tuned and bon appetit!
Pierre Ernst, Friday, May 22, 2009, 17:06
This type of attacks seems to be related to CWE-235
Stefano, Friday, May 22, 2009, 17:49
Pierre, thanks for the reference, we'll add it to the whitepaper.
Jeremy, Wednesday, May 27, 2009, 16:24
So what about "Value Shadowing" that has been cited by at least one major static analyzer for a while now? Do a google search on it.
Stefano, Thursday, May 28, 2009, 10:12
satyajit das, Tuesday, August 11, 2009, 10:09
good description, we expect more
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.