[Owasp-modsecurity-core-rule-set] Fwd: [JIRA] Resolved: (CORERULES-8) Filter Bypass Vulnerability
ryan.barnett at breach.com
Tue Aug 4 08:04:50 EDT 2009
On Monday 03 August 2009 10:59:06 pm Junyong Jiang wrote:
> Dear Ryan,
> I mean that when I access http://www.example.com/login.jsp
> The websit notice me to login the USER and PASSWORD.
> As my username is "admin", the password is also "admin".
> When I post this request to server, the posting part is like
> this:"...username=admin&password=admin". This post request is also
> recoginized as HPP attack.
I do not believe that having two payloads that are the same are considered
HPP. Please reference any documentation that states otherwise.
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
> 2009/8/3 Ryan Barnett
> <ryan.barnett at breach.com<mailto:ryan.barnett at breach.com>>
> On Sunday 02 August 2009 07:28:37 am Junyong Jiang wrote:
> > Dear Ryan,
> > I have another question about this HPP rule. The definition of HPP attack
> > is that the 'arg_names' includes data segment like "user=a & user=d &
> > user=m & user=i & user=n". The multi-parameter is "user". But if we login
> > a user with the same username and password, this is also recognized as
> > HPP attack. For example "username=admin&password=admin". The differences
> > between these two cases are: the multi-parameters are before or after
> > "=". I want to know whether need we differentiate these two cases in the
> > HPP detection rules.
> My understanding of HPP
> (http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf) is
> that it includes adding in/injecting new parameters. This can include
> adding in the data before the "=" into the parameter name section or after
> the "=" into the parameter payload section. Either way, the attacker is
> adding in new parameters.
> The issue, then, from the WAF/WebApp perspective is how are multiple
> parameters with the same name treated? See my blog post here -
>. The two main issues are either business-logic abuse and/or signature
> In the example you gave, I am not quite sure how this relates to HPP. Yes,
> technically, you are inserting new parameter data, however if there are no
> parameter name duplication, then you are not dealing with two issues listed
> Can you explain your question a bit more clearly?
> Ryan C. Barnett
> WASC Distributed Open Proxy Honeypot Project Leader
> OWASP ModSecurity Core Rule Set Project Leader
> Tactical Web Application Security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set