"Forgive me, I don't have the time to be brief" -- unfortunately this is
going to be a longish one.
I'm confused about an issue I've been having trying to detect client side
parameter pollution vulnerabilities. Been stuck on this for a while.
What I'm doing is for each parameter in a request, you inject an innocuous
parameter, for example if the request were:
http://www.example.com/?x=abc&y=xyz
We could inject the parameter ZJkl=NrZp like so:
http://www.example.com/?x=abc%26ZJkL%3DNrZp&y=xyz
http://www.example.com/?x=abc&y=xyz%26ZJkL%3DNrZp
Then we examine the response from each of those requests and check if there
are any links in the response that contain our injected parameter, so for
example, in the response body if we found the following, it would mean the
"x" parameter is vulnerable to parameter pollution:
http://www.example.com/submit.php?x=abc&ZJkL=NrZp&y=xyz
If this is the case, then we can use the fact that a server will discard a
duplicate parameter and use either the first or second occurrence to
overwrite other parameters in the requests for the forms and links on the
page.
The problem I am having is that while my browser (firefox) will return
responses containing things like:
http://www.example.om/submit.php?x=abc&ZJkL=NrZp&y=xyz
When I use sendMutant or urlOpener.GET, the same request will result in the
URL in the response looking like this:
http://www.example.om/submit.php?x=abc%26ZJkL%3DNrZp&y=xyz
The characters are not being decoded and I have no idea why! I thought that
the decoding would be done on the server side, is this done in the browser?
Does that mean these vulnerabilities will be browser specific? I'm really
not sure how this works behind the scenes.
For a real example of this vulnerability I've been using the following URL
for testing:
http://www.pof.com/basicsearch.aspx?iama=m%26ZJkL%3DNrZp&seekinga=f&minage=18&maxage=40&imagesetting=0&searchtype=&intent=ðnicity=0&country=1&City=Chicago&z_code=&miles=25&sorting=0&cmdSearch=Search&Profession=&Interests=&save=1#in
If you look at the links to "More Search Results 1,2,3" etc... on the
bottom of the page, you will see that the parameter ZJkL=NrZp has been
injected into the links.
Thanks!
On Wed, May 2, 2012 at 11:02 PM, Andres Riancho <andres.rian...@gmail.com>wrote:
> Stephen,
>
> On Wed, May 2, 2012 at 4:10 PM, Stephen Breen <breen.mach...@gmail.com>
> wrote:
> > In case anyone else is interested in this, someone else has already
> created
> > a system to scan and detect HTTP parameter pollution vulnerabilities.
> They
> > don't provide the source for their tool but it can be found here:
> > http://papas.iseclab.org/cgi-bin/index.py
> >
> > Their paper describing how it works can be found here:
> > http://www.iseclab.org/people/embyte/papers/hpp.pdf
> >
> > I plan on reading it and taking a shot at implementation as a w3af
> plugin.
>
> Great! For comparing HTTP response bodies (which I assume you'll have
> to do) take a look at levenshtein.py (relative_distance_boolean
> function).
>
> Regards,
>
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > W3af-develop mailing list
> > W3af-develop@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/w3af-develop
> >
>
>
>
> --
> Andrés Riancho
> Project Leader at w3af - http://w3af.org/
> Web Application Attack and Audit Framework
> Twitter: @w3af
> GPG: 0x93C344F3
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
