[Owasp-modsecurity-core-rule-set] Fwd: [JIRA] Resolved: (CORERULES-8) Filter Bypass Vulnerability

Junyong Jiang dreamice.jiang at gmail.com
Mon Aug 3 22:59:06 EDT 2009


Dear Ryan,

I mean that when I access http://www.example.com/login.jsp
The websit notice me to login the USER and PASSWORD.
As my username is "admin", the password is also "admin".
When I post this request to server, the posting part is like
this:"...username=admin&password=admin".
This post request is also recoginized as HPP attack.

2009/8/3 Ryan Barnett <ryan.barnett at breach.com>

>  On Sunday 02 August 2009 07:28:37 am Junyong Jiang wrote:
> > Dear Ryan,
> >
> > I have another question about this HPP rule. The definition of HPP attack
> > is that the 'arg_names' includes data segment like "user=a & user=d &
> > user=m & user=i & user=n". The multi-parameter is "user". But if we login
> a
> > user with the same username and password, this is also recognized as HPP
> > attack. For example "username=admin&password=admin". The differences
> > between these two cases are: the multi-parameters are before or after
> "=".
> > I want to know whether need we differentiate these two cases in the HPP
> > detection rules.
> >
>
>
> My understanding of HPP (
> http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf) is
> that it includes adding in/injecting new parameters. This can include adding
> in the data before the "=" into the parameter name section or after the "="
> into the parameter payload section. Either way, the attacker is adding in
> new parameters.
>
>
> The issue, then, from the WAF/WebApp perspective is how are multiple
> parameters with the same name treated? See my blog post here -
> http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html.
> The two main issues are either business-logic abuse and/or signature
> evasions.
>
>
> In the example you gave, I am not quite sure how this relates to HPP. Yes,
> technically, you are inserting new parameter data, however if there are no
> parameter name duplication, then you are not dealing with two issues listed
> above.
>
>
> Can you explain your question a bit more clearly?
>
>
> --
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090804/0f5810ca/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list