[Owasp-appsensor-project] Additional Detection Points - Additional or Missing Parameters

Colin Watson colin.watson at owasp.org
Fri Jun 11 04:39:37 EDT 2010


Michael

Two detection points (one for missing and one for extra/duplicated)
but covering both headers and other parameters?  Or is that 4
detection points?

Colin


On 10 June 2010 23:59, Michael Coates <michael.coates at owasp.org> wrote:
> I could have sworn that unexpected headers was on the list. I remember
> testing it in my old demo app.  Oh well, its not at that link so we should
> add it.
>
> I would divide this into two detection points. One for missing an expected
> header and one for receiving an unexpected header.  The later is actually
> very tricky as I found because all sorts of proxies will attach weird
> x-something headers.  We should mention that in the comments for that
> detection point.
>
> Michael Coates
> OWASP
>
> On 6/9/10 7:02 PM, John Melton wrote:
>
> +1 for this, and a specific instance here would be http parameter pollution
> (hpp)
>
> On Wed, Jun 9, 2010 at 10:20 AM, Colin Watson <colin.watson at owasp.org>
> wrote:
>>
>> Suggestion to add a new detection point.  Has this already been ruled
>> out?  Should it be added?  Is the description/categorization suitable?
>>
>> Source
>> -----------------------------------
>> Just another idea, but based on WAF white listing concepts
>>
>> Description
>> -----------------------------------
>> A required header or body parameter is missing, or additional
>> unexpected parameters are received with the request.
>>
>> Suggested categorization
>> -----------------------------------
>> RE5 Additional or Missing Parameters
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>


More information about the Owasp-appsensor-project mailing list