[Owasp-modsecurity-core-rule-set] Fwd: [JIRA] Resolved: (CORERULES-8) Filter Bypass Vulnerability
ryan.barnett at breach.com
Mon Aug 3 10:10:14 EDT 2009
On Sunday 02 August 2009 07:28:37 am Junyong Jiang wrote:
> Dear Ryan,
> I have another question about this HPP rule. The definition of HPP attack
> is that the 'arg_names' includes data segment like "user=a & user=d &
> user=m & user=i & user=n". The multi-parameter is "user". But if we login a
> user with the same username and password, this is also recognized as HPP
> attack. For example "username=admin&password=admin". The differences
> between these two cases are: the multi-parameters are before or after "=".
> I want to know whether need we differentiate these two cases in the HPP
> detection rules.
My understanding of HPP
that it includes adding in/injecting new parameters. This can include adding
in the data before the "=" into the parameter name section or after the "="
into the parameter payload section. Either way, the attacker is adding in new
The issue, then, from the WAF/WebApp perspective is how are multiple
parameters with the same name treated? See my blog post here -
The two main issues are either business-logic abuse and/or signature evasions.
In the example you gave, I am not quite sure how this relates to HPP. Yes,
technically, you are inserting new parameter data, however if there are no
parameter name duplication, then you are not dealing with two issues listed
Can you explain your question a bit more clearly?
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set