[Owasp-appsensor-project] Additional Detection Points - Additional or Missing Parameters

Michael Coates michael.coates at owasp.org
Thu Jun 10 18:59:08 EDT 2010

I could have sworn that unexpected headers was on the list. I remember 
testing it in my old demo app.  Oh well, its not at that link so we 
should add it.

I would divide this into two detection points. One for missing an 
expected header and one for receiving an unexpected header.  The later 
is actually very tricky as I found because all sorts of proxies will 
attach weird x-something headers.  We should mention that in the 
comments for that detection point.

Michael Coates

On 6/9/10 7:02 PM, John Melton wrote:
> +1 for this, and a specific instance here would be http parameter 
> pollution (hpp)
> On Wed, Jun 9, 2010 at 10:20 AM, Colin Watson <colin.watson at owasp.org 
> <mailto:colin.watson at owasp.org>> wrote:
>     Suggestion to add a new detection point.  Has this already been ruled
>     out?  Should it be added?  Is the description/categorization suitable?
>     Source
>     -----------------------------------
>     Just another idea, but based on WAF white listing concepts
>     Description
>     -----------------------------------
>     A required header or body parameter is missing, or additional
>     unexpected parameters are received with the request.
>     Suggested categorization
>     -----------------------------------
>     RE5 Additional or Missing Parameters
>     _______________________________________________
>     Owasp-appsensor-project mailing list
>     Owasp-appsensor-project at lists.owasp.org
>     <mailto:Owasp-appsensor-project at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20100610/dae57ab7/attachment.html 

More information about the Owasp-appsensor-project mailing list