 There’s been a lot chat on Twitter recently about HTTP Parameter Pollution, so I wanted to describe the vulnerability in more detail and how Cenzic can detect it in its latest SmartAttack release.
What is HTTP Parameter Pollution?
An HTTP Parameter Pollution is where an attacker can submit additional parameters to a Web application -- and if these parameters have the same name as an existing parameter -- the Web application may react in one of the following ways - - It may only take the data from the first parameter
- It may take the data from the last parameter
- It may take the data from all parameters and concatenate them together
Such results enable the attackers to distribute attack payloads across multiple parameters to evade signature-based filters. For more details about the attack, visit this blog post and/or read this recent PowerPoint presentation delivered at an OWASP European meeting. How to Detect an HTTP Parameter Pollution Vulnerability:
The latest Cenzic SmartAttack walks the traversal and identifies HTTP requests that are candidates for fault injection. For each candidate request, the SmartAttack sends a series of pairs of injected requests with each parameter repeated once with its original value and once with an incorrect value. If the application gives different responses for the original and the injected injection request, it ensures that the application is blindly looking at the last occurrence of the parameter and the SmartAttack generates a Failure. by
Erin Swanson
ESwanson@cenzic.com | 
