Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Http Parameter Contamination / Research paper
Posted by: Ivan
Date: June 29, 2011 11:23PM

HTTP PARAMETER CONTAMINATION (HPC) original idea comes from the innovative approach found in HPP (Http Parameter Pollution) research by exploring deeper and exploiting strange behaviors in Web Server components, Web Applications and Browsers as a result of query string parameter contamination with reserved or non expected characters.

Full document:

http://netsec.rs/files/Http%20Parameter%20Contamination%20-%20Ivan%20Markovic%20NSS.pdf


If this link doesn't work, try: http://goo.gl/Y88QE


Comments, ideas, remarks ? :)

http://www.security-net.biz/

Options: ReplyQuote
Re: Http Parameter Contamination / Research paper
Posted by: lightos
Date: June 30, 2011 09:15AM

Very interesting and a good reference. However, I did notice an error.
dummy2;waf bypass: http://localhost/?a=x[y
if(strpos(“_”,$_SERVER*‘query_string’+) === false) , system(key($_GET)); }
Apache/PHP will only convert [ to _ when it's in the parameter name, not the value.

Thanks for sharing! :)

Options: ReplyQuote
Re: Http Parameter Contamination / Research paper
Posted by: Ivan
Date: June 30, 2011 03:18PM

Yes it is my mistake, I put wrong example.

Thanks, it will be changed ;)

http://www.security-net.biz/

Options: ReplyQuote
Re: Http Parameter Contamination / Research paper
Posted by: Skyphire
Date: July 02, 2011 12:45AM

Do you have a txt version? I never open PDF's as a rule.

Did some research on this in 2008, but since my site is gone, I'll post it here. PHP most often converts all illegal chars to underscores. There are ways to exploit this in fooling WAF's:

<?php

$var = "$\0REQUEST['xyz']"; # embedded null

$url = "http://username:password@hostname/path?arg=".$var."#anchor";

echo "<pre>";
   print_r(parse_url($url));
   echo parse_url($url, PHP_URL_PATH);
echo "</pre>";

?>

and the output generated by PHP:

Array
(
    [scheme] => http
    [host] => hostname
    [user] => username
    [pass] => password
    [path] => /path
    [query] => arg=$_REQUEST['xyz']#anchor  <- stuff we can use.
)

edit: added colors.



Edited 2 time(s). Last edit at 07/04/2011 03:39PM by Skyphire.

Options: ReplyQuote
Re: Http Parameter Contamination / Research paper
Posted by: Ivan
Date: July 02, 2011 07:45AM

Txt version (exported pdf): http://www.security-net.biz/txt/Http%20Parameter%20Contamination%20-%20Ivan%20Markovic%20NSS.txt

I put links for images, picture 3 is most important.


Interesting example btw, I will check this. Thanks ;)

http://www.security-net.biz/

Options: ReplyQuote
Re: Http Parameter Contamination / Research paper
Posted by: Skyphire
Date: July 04, 2011 03:29PM

Thanks Ivan!

Nice read. Lot of other functions that are vulnerable too, like urldecode(), unset() and many others as well as verbatim variables/parameters in regular expressions. Not much research is done in these area's, but it's exciting stuff to look into I think.

Options: ReplyQuote


Sorry, only registered users may post in this forum.