[Owasp-leaders] Java Servlet parameter pollution problem in the spec

psiinon psiinon at gmail.com
Tue Jul 24 09:48:26 UTC 2012


Implemented and published via the ZAP extensions project:
http://code.google.com/p/zap-extensions/
Source code available here:
https://code.google.com/p/zap-extensions/source/browse/trunk/src/org/zaproxy/zap/extension/servletParamPollution/ServletParameterPollutionScanner.java

To make use of this just:

   - Download the 'Parameter pollution scanner' extension
   - Save it in the ZAP 'plugin' directory
   - (Re)start ZAP

Its a passive scanner, so then just browse / spider your application and
any forms without target attributes will be flagged as potentially having
this issue.

Any feedback gratefully received.

Simon

On Wed, Jul 11, 2012 at 2:50 PM, psiinon <psiinon at gmail.com> wrote:

> I've raised it as a ZAP enhancement request: Issue 324<http://code.google.com/p/zaproxy/issues/detail?id=324>:)
>
>
> As you say it should be easy to implement, so I'll try to implement it
> asap.
>
> Cheers,
>
> Simon
>
> (Resent to owasp-leaders at lists.owasp.org instead of
> owasp-leaders at owasp.org, grrrr!)
>
>
> On Wed, Jul 11, 2012 at 1:59 PM, Jeff Williams <jeff.williams at owasp.org>wrote:
>
>> Hi everyone,
>>
>> So there doesn't seem to be a great resolution here.  It seems we need
>> to tell developers that they MUST specify the action URL in their
>> forms.  We could approach the W3C to try to make this required, but
>> I'm skeptical they'll move on this.  (Anyone know where to submit
>> something like this?)  The Java Servlet Spec team is resistant to
>> making a change as well.  Sigh.
>>
>> I'd love to have some numbers about how many sites are susceptible to
>> this.  Anyone want to write a scanner that detects this?  All you need to
>> search for is pages that don't specify a form action.   It would
>> make a very nice Zap or Burp passive check, "Unspecified form target:
>> HTTP parameter override attack possible"
>>
>> --Jeff
>>
>>
>>
>> On Wed, Jul 4, 2012 at 5:53 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>> > Hey Jeff, on the scan you request below, what do you want to search for?
>> >
>> > "web pages that submit form data with no action, that ends up being
>> > collected by a server side getParameter?"
>> >
>> > Is there a sample app we could use to test the scan acuracy?
>> >
>> > Dinis Cruz
>> >
>> > On 3 Jul 2012, at 14:51, Jeff Williams <jeff.williams at owasp.org> wrote:
>> >
>> >> Hi Leaders,
>> >>
>> >> See the attached paper from a Google researcher…
>> >>
>> >> The latest (3.0) Java Servlet spec says that "Data from the query
>> >> string and the post body are aggregated into the request parameter
>> >> set. Query string data is presented before post body data."
>> >>
>> >> So if your Java web app has a form with no target and will POSTs back
>> >> to the same URL (or less likely, if the application somehow propagates
>> >> GET parameters to the target URL), here's the attack...
>> >>
>> >> 1)    Get victim to click on a link like
>> >> http://example.com/changePassword?pw1=foo&pw2=foo
>> >> 2)    Victim visits the changePassword page and fills in the form with
>> >> pw1=bar&pw2=bar
>> >> 3)    Server calls getParameter(“pw1”) and gets “foo” not “bar”, same
>> for pw2
>> >> 4)    Server changes password to “foo”
>> >> 5)    Attacker takes over account
>> >>
>> >> This is relatively easy to find both statically and dynamically. It’s
>> >> sort of like CSRF, but adding a token won’t fix the problem.  To fix
>> >> it, you can change the form to have a separate target, but that could
>> >> be a  decent amount of work.
>> >>
>> >> Is there something else crafty that we could suggest to the servlet
>> >> team to fix this in the spec?  One idea is to add an optional
>> >> parameter to the getParameter() method to allow you to specify
>> >> GET_ONLY or POST_ONLY.   Or what about a security setting that puts
>> >> POST parameters first, since that’s almost certainly what was
>> >> expected?
>> >>
>> >> Other ideas?  Remember, you can’t break existing apps.  I'm going to
>> >> need some ammo to get a change for this into the spec.  Anybody want
>> >> to do a scan to see how widespread this problem is?
>> >>
>> >> Thanks,
>> >>
>> >> --Jeff
>> >> <OnParameterPollutionAttacks.pdf>
>>
>
>
>
> --
> OWASP ZAP: Toolsmith Tool of the Year 2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
>
>


-- 
OWASP ZAP: Toolsmith Tool of the Year
2011<http://holisticinfosec.blogspot.com/2012/02/2011-toolsmith-tool-of-year-owasp-zap.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120724/b5cc4fe4/attachment-0001.html>


More information about the OWASP-Leaders mailing list