[Lift] Re: Lift vulnerable to HPP?

Tue, 19 May 2009 10:37:46 -0700 

On Tue, May 19, 2009 at 10:18 AM, Tom Arnold <t0m4rn...@gmail.com> wrote:

>
> Hello,
>
> just out of curiosity is Lift vulnerable to http parameter pollution?


Lift is built on Scala, so by default, it's strongly typed, thus half the
HPP attacks (causing an Array to be sent to a method expecting a String)
disappear.

Lift's rules for decoding parameters are stable and well defined.  If you do
an S.param("name") and there were multiple "name" parameters passed in,
you'll get the head of the List which is the first parameter decoded from
the URL-encoded POST or GET.

The place where things might be strange is in the processing of form
elements.  If you do something like: SHtml.text("",
funcToBeCalledOnFormSubmission _), the function will be called twice if
there are two copies of the parameter in the request.  I can change this
behavior... I should probably change this behavior.

In general, however, Lift apps are more resistant to this kind of attack
because (1) Lift encorages keeping state on the server and refering to it
with opaque identifiers (2) Lift's opaque identifiers are unique for each
request making it difficult to build a bot that will spoof them and (3) Lift
is built on top of Scala, which is strongly typed, so you always know what
the type of the parameter is.




>
>
> It was demoed at OWASP by two italian researchers.
>
>
> http://blog.mindedsecurity.com/2009/05/http-parameter-pollution-new-web-attack.html
>
> Cheers,
>
> Tom
>
> >
>


-- 
Lift, the simply functional web framework http://liftweb.net
Beginning Scala http://www.apress.com/book/view/1430219890
Follow me: http://twitter.com/dpp
Git some: http://github.com/dpp

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Lift" group.
To post to this group, send email to liftweb@googlegroups.com
To unsubscribe from this group, send email to 
liftweb+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/liftweb?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to