[Owasp-appsensor-project] Additional Detection Points - Additional or Missing Parameters

Michael Coates michael.coates at owasp.org
Fri Jun 11 12:06:25 EDT 2010


I would go with 2 - one for missing and one for extra.

Michael Coates
OWASP


On 6/11/10 1:39 AM, Colin Watson wrote:
> Michael
>
> Two detection points (one for missing and one for extra/duplicated)
> but covering both headers and other parameters?  Or is that 4
> detection points?
>
> Colin
>
>
> On 10 June 2010 23:59, Michael Coates<michael.coates at owasp.org>  wrote:
>    
>> I could have sworn that unexpected headers was on the list. I remember
>> testing it in my old demo app.  Oh well, its not at that link so we should
>> add it.
>>
>> I would divide this into two detection points. One for missing an expected
>> header and one for receiving an unexpected header.  The later is actually
>> very tricky as I found because all sorts of proxies will attach weird
>> x-something headers.  We should mention that in the comments for that
>> detection point.
>>
>> Michael Coates
>> OWASP
>>
>> On 6/9/10 7:02 PM, John Melton wrote:
>>
>> +1 for this, and a specific instance here would be http parameter pollution
>> (hpp)
>>
>> On Wed, Jun 9, 2010 at 10:20 AM, Colin Watson<colin.watson at owasp.org>
>> wrote:
>>      
>>> Suggestion to add a new detection point.  Has this already been ruled
>>> out?  Should it be added?  Is the description/categorization suitable?
>>>
>>> Source
>>> -----------------------------------
>>> Just another idea, but based on WAF white listing concepts
>>>
>>> Description
>>> -----------------------------------
>>> A required header or body parameter is missing, or additional
>>> unexpected parameters are received with the request.
>>>
>>> Suggested categorization
>>> -----------------------------------
>>> RE5 Additional or Missing Parameters
>>> _______________________________________________
>>> Owasp-appsensor-project mailing list
>>> Owasp-appsensor-project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>>        
>>
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>
>>      


More information about the Owasp-appsensor-project mailing list