On Tue, May 19, 2009 at 10:18 AM, Tom Arnold <t0m4rn...@gmail.com> wrote:
> > Hello, > > just out of curiosity is Lift vulnerable to http parameter pollution? Lift is built on Scala, so by default, it's strongly typed, thus half the HPP attacks (causing an Array to be sent to a method expecting a String) disappear. Lift's rules for decoding parameters are stable and well defined. If you do an S.param("name") and there were multiple "name" parameters passed in, you'll get the head of the List which is the first parameter decoded from the URL-encoded POST or GET. The place where things might be strange is in the processing of form elements. If you do something like: SHtml.text("", funcToBeCalledOnFormSubmission _), the function will be called twice if there are two copies of the parameter in the request. I can change this behavior... I should probably change this behavior. In general, however, Lift apps are more resistant to this kind of attack because (1) Lift encorages keeping state on the server and refering to it with opaque identifiers (2) Lift's opaque identifiers are unique for each request making it difficult to build a bot that will spoof them and (3) Lift is built on top of Scala, which is strongly typed, so you always know what the type of the parameter is. > > > It was demoed at OWASP by two italian researchers. > > > http://blog.mindedsecurity.com/2009/05/http-parameter-pollution-new-web-attack.html > > Cheers, > > Tom > > > > -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Git some: http://github.com/dpp --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to liftweb@googlegroups.com To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---