[Owasp-modsecurity-core-rule-set] Fwd: [JIRA] Resolved: (CORERULES-8) Filter Bypass Vulnerability

Ryan Barnett ryan.barnett at breach.com
Tue Aug 4 08:04:50 EDT 2009


On Monday 03 August 2009 10:59:06 pm Junyong Jiang wrote:
> Dear Ryan,
>
> I mean that when I access http://www.example.com/login.jsp
> The websit notice me to login the USER and PASSWORD.
> As my username is "admin", the password is also "admin".
> When I post this request to server, the posting part is like
> this:"...username=admin&password=admin". This post request is also
> recoginized as HPP attack.
>

Junyong,
I do not believe that having two payloads that are the same are considered 
HPP.  Please reference any documentation that states otherwise.

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com<http://tacticalwebappsec.blogspot.com

> 2009/8/3 Ryan Barnett
> <ryan.barnett at breach.com<mailto:ryan.barnett at breach.com>>
>
> On Sunday 02 August 2009 07:28:37 am Junyong Jiang wrote:
> > Dear Ryan,
> >
> > I have another question about this HPP rule. The definition of HPP attack
> > is that the 'arg_names' includes data segment like "user=a & user=d &
> > user=m & user=i & user=n". The multi-parameter is "user". But if we login
> > a user with the same username and password, this is also recognized as
> > HPP attack. For example "username=admin&password=admin". The differences
> > between these two cases are: the multi-parameters are before or after
> > "=". I want to know whether need we differentiate these two cases in the
> > HPP detection rules.
>
> My understanding of HPP
> (http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf) is
> that it includes adding in/injecting new parameters. This can include
> adding in the data before the "=" into the parameter name section or after
> the "=" into the parameter payload section. Either way, the attacker is
> adding in new parameters.
>
>
> The issue, then, from the WAF/WebApp perspective is how are multiple
> parameters with the same name treated? See my blog post here -
> http://tacticalwebappsec.blogspot.com/2009/05/http-parameter-pollution.html
>. The two main issues are either business-logic abuse and/or signature
> evasions.
>
>
> In the example you gave, I am not quite sure how this relates to HPP. Yes,
> technically, you are inserting new parameter data, however if there are no
> parameter name duplication, then you are not dealing with two issues listed
> above.
>
>
> Can you explain your question a bit more clearly?
>
>
> --
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
> http://tacticalwebappsec.blogspot.com<http://tacticalwebappsec.blogspot.com
>/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20090804/cf7f4232/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list