Automated Detection of HPP Vulnerabilities in Web Applications

Presented at Black Hat USA 2011, Aug. 4, 2011, 4:45 p.m. (75 minutes).

HTTP Parameter Pollution (HPP) is a recent class of web vulnerabilities that consists of injecting encoded query string delimiters into other existing HTTP parameters. When a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks.

To begin with, I introduce HTTP Parameter Pollution by analyzing different real attacking scenarios and discussing the problems that may face. I will then present the first automated system, called PAPAS that we designed for the detection of HPP flaws in real web applications. PAPAS combines a modified version of Firefox with a crawler and two scanners in order to analyze web pages efficiently for the presence of vulnerable parameters that can be injected with arbitrary HPP payloads.

PAPAS has been used to conduct a large-scale experiment of the Internet by testing more than 5,000 popular websites and discovering unknown HPP bugs in many important and well-known sites such as Facebook, Google and Paypal.

The talk features a live demo of PAPAS, which has been made available as a free-to-use service recently. I will conclude the talk by discussing the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities.


Presenters:

Links:

Similar Presentations: