[OWASP-ESAPI] Making ESAPI HPP proof

lavakumar kuppan lavakumar.in at gmail.com
Wed Aug 26 06:58:26 EDT 2009


Hi All,

Extending on what Jim had mentioned in his earlier mail I have a proposal
for ESAPI Java and .NET.
To provide anti-HPP(HTTP Parameter Pollution) support to ESAPI.
HTTP Parameter Pollution depends on multiple request parameters having the
same name.

Its effect varies based on the platform:
1) Java:
    Override other parameters and subsequently application logic
    Refer slides 20,21,23,24 on
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
2) .NET:
    Bypass Web Application firewalls
    Refer http://lavakumar.com/modsecurity_hpp.txt
    http://lavakumar.com/Split_and_Join.pdf

Multiple parameters of the same name is supported by the web platform to
accept multi-select input lists.
But this feature is always turned on and even when a particular parameter is
not using a 'multi-select input list' the web technology always treats it as
one.
This 'enabled by default' approach open up possibilities for abuse like the
ones listed above.

It would be better if by default this feature was turned off unless the
developer explicitly wants to accept multi-select input list data.
This would prevent any HTTP Parameter Pollution attacks against the Web
Application.


For example the SafeRequest class of ESAPI Java could add this additional
check to the getParameter() function:
*
public String getParameter(String name) {
        String[] valuearray = request.getParameterValues(name);
        if (valuearray.length > 1)
        {
            throw new IntrusionException( "Invalid input", "Multiple
instances found for parameter:" + name + " Possible HPP attempt");
        }
        //--- existing code here ----//
    }
*
Am not sure if ESAPI .NET implements the SafeRequest class, if it does then
the Request.Params,  Request.QueryString and Request.Form arrays can be
overridden to only store one instance of a request parameter.
There could be a seperate request property called, lets say
'Request.ParameterValues' (similar to java) which would include the array
list of the multiple parameter.
So if the developer intends to accept data from multi-select input list in
ESAPI .NET then he can call Request.ParameterValue["multi"].
This would make sure that the use of multiple parameters with same name is
only supported where the developers wants it and not everywhere.
Making ESAPI-powered applications secure by default against HPP.

Would love to hear what the rest of the members think about this.

Cheers,
Lava
http://www.lavakumar.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090826/43860d74/attachment-0001.html 


More information about the OWASP-ESAPI mailing list