December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 5-11: Detecting Duplicate Parameter Names
This recipe demonstrates how to detect when an attacker attempts to inject multiple parameters with duplicate names.
Ingredients
- OWASP AppSensor12
- Additional/Duplicate Data in Request
- ModSecurity
- modsecurity_crs_40_parameter_pollution.conf
HTTP parameter pollution was discussed in Recipe 5-2. The concept is that various web applications handle the existence of multiple payloads with the same name differently. Here is a real-life example of how HPP was used in a SQL Injection attack to bypass negative security filters.13 The attacker initially attempted to send this attack payload:
1 AND (select DCount(last(username,1,1) from users where username=
'ad1min')The OWASP ModSecurity Core Rule Set’s SQL Injection signatures easily captured this payload. The attacker then leveraged HPP and segmented the payload into three separate parts by using three parameters, all named after. The following request was used:
POST /bank/transaction.aspx HTTP/1.1 Host: www.modsecurity.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*; q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: keep-alive Referer: http://www.modsecurity.org/bank/transaction.aspx Cookie: ASP.NET_SessionId=c0tx0o455d0b10ylsdr03m55; amSessionId=14408158863; amUserInfo=UserName=YWRtaW4=&Password=JyBvciAnMSc9JzEnOy0t; ...