On Fri, 02 Mar 2012 12:25:12 -0800 Paul Wallingford <p...@cybergestalt.net> wrote:
> I did some research into this. It is a bit obscure and information is > not easy to find. I believe the scan is referencing HTTP Parameter > Pollution (HPP). > > See: http://www.iseclab.org/people/embyte/slides/BHEU2011/hpp-bhEU2011.pdf > > Essentially, it comes down to how the application or framework handles > multiple sources of the same parameter. There are several ways an > attacker can pollute the parameters. This is an interesting read, and I agree that this may be a problem, but its most potent use seems to be exposing either a forgotten URL-encode, or a validation or logic error of sorts in the author's code. Both must be combined with social engineering to work. HPWI SUMMARY ON POST/GET COLLAPSE: > Some web frameworks collapse the POST and GET parameters into a single > collection. This is a flawed design pattern from a security standpoint. > If a page accepts POST parameters as GET parameters an attacker would be > able to effect change on websites through Cross-Site Request Forgery or > leverage this design flaw with other vulnerabilities to attack the > system hosting the web application. I can understand why they are saying it is flawed, but it has little to do with CSRF (except making it a tad easier) What I think it is saying that, let's say you have a forums software with a POST/GET collapse and you forget to explicitly check for POST in one of the functions. If so, an attacker can compose a post that embeds an "image" link that (say) deletes the user's account. If a user visits a thread that contains that post, his account will be deleted. (Alternatively, the attacker may have posted a link to the deletion via a URL-shortener and it would have had a similar effect.) What this did was exposed a pre-existing vulnerability (lack of POST checking) to create a worse CSRF situation. If this collapse was not in effect, the attacker would have had to inject javascript (much harder) or get a user to visit an external link to trigger this vulnerability. If there had been CSRF checks in place (e.g. "Please enter your password to delete your account"), the POST/GET collapse would not have affected a thing. ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Mason-users mailing list Mason-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mason-users
