HTTP Parameter Pollution Vulnerabilities in Web Applications
// Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. This talk analyzes HTTP Parameter Pollution and presents the first automated system for the detection of HPP flaws in real web applications. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP bugs in many important and well-known sites such as Microsoft, Google, VMWare and PayPal. In this presentation we will describe the details of the architecture and of the algorithms we implemented to efficiently detect HPP vulnerabilities. We will conclude by discussing the HPP phenomenon and giving suggestions on how to prevent this novel class of injection vulnerabilities in future web applications.
Marco Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for more than 8 years with international experiences in both industrial and academic fields. He has worked as a security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in South France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher. He has attended well-known and high-profile conferences all over (Blackhat, OWASP AppSec, NDSS) and currently speaks five different languages. Being a Free Software sympathizer, in the year 2K, he cofounded the Bergamo Linux User Group and the University Laboratory of Applied Computing. In former times, he was an active member of several open-source projects and Italian hacking groups
Patrick Vandenberg, Manager, IBM Rational Security and Compliance. As the manager of IBM Rational Security & Compliance Marketing , is responsible for the strategic marketing and execution of the Rational AppScan portfolio, part of the Application pillar of IBM Security framework. Patrick came to IBM through the acquisition of Watchfire in 2007, was an integration lead on the Ounce Labs acquisition, and brings 17 years experience in product management, product marketing, software development and sales, and most notably 12 years in the security industry. Patrick holds a degree in Systems & Computer Engineering.
We would like to thank this month’s webcast sponsor IBM. IBM Security Solutions include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. According to a recent IBM X-Force report, 55% of vulnerabilities are Web application vulnerabilities. For more information on how IBM Rational application security software helps IT and security professionals protect against the threat of attacks and data breaches on how to address today’s biggest risks please visit us at ibm.com/security.
Black Hat Team
(C) UBM TechWeb 2011. All Rights Reserved.
Black Hat c/o UBM TechWeb, 303 Second St., Suite 900 South Tower, San Francisco, CA 94107. UBM TechWeb, Black Hat, and associated design marks and logos are trademarks owned or used under license by United Business Media LLC, and may be registered in the United States and other countries. Other names mentioned may be the trademark or service mark of their respective owners.
Black Hat respects your privacy. This message is sent to qualified recipients who recently attended, or requested or downloaded information about either Black Hat or a related United Business Media event or publication or requested information about our events, publications and products.
Please do not reply to this email as replies are not being read.
Unsubscribe from Black Hat Webcast.