[Owasp-modsecurity-core-rule-set] Fwd: [JIRA] Resolved: (CORERULES-8) Filter Bypass Vulnerability

Ryan Barnett ryan.barnett at breach.com
Mon Aug 3 10:10:14 EDT 2009

On Sunday 02 August 2009 07:28:37 am Junyong Jiang wrote:
> Dear Ryan,
> I have another question about this HPP rule. The definition of HPP attack
> is that the  'arg_names' includes data segment like "user=a & user=d &
> user=m & user=i & user=n". The multi-parameter is "user". But if we login a
> user with the same username and password, this is also recognized as HPP
> attack. For example "username=admin&password=admin".  The differences
> between these two cases are: the multi-parameters are before or after "=". 
> I want to know whether need we differentiate these two cases in the HPP
> detection rules.

My understanding of HPP 
(http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf) is 
that it includes adding in/injecting new parameters.  This can include adding 
in the data before the "=" into the parameter name section or after the "=" 
into the parameter payload section.  Either way, the attacker is adding in new 

The issue, then, from the WAF/WebApp perspective is how are multiple 
parameters with the same name treated?  See my blog post here - 
The two main issues are either business-logic abuse and/or signature evasions.

In the example you gave, I am not quite sure how this relates to HPP.  Yes, 
technically, you are inserting new parameter data, however if there are no 
parameter name duplication, then you are not dealing with two issues listed 

Can you explain your question a bit more clearly?

Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090803/f1c4e474/attachment.html 

More information about the Owasp-modsecurity-core-rule-set mailing list