ST

Description: HTTP Parameter Pollution (HPP) attacks can be defined as the feasibility to override or add HTTP GET/POST parameters by injecting query string delimiters. Luca Carettoni, an independent security researcher and Stefano di Paolo, CTO Minded Security elaborated the details of HPP at OWASP EU09 held in Poland this year.  The attack is based on the fact that various web application platforms and web servers deal with multiple parameters with the same name in very different ways, as there is no standardization available for this behavior. As an example lets say you pass the parameter "name" twice - http://xxx.com/example.aspx?name=vivek&name=ramachandran , the behavior of ASP.NET is to concatanate the multiple values i.e. within the application name will be received as "name = vivek, ramachandran". According to the researchers, HPP opens up the application for various Client side and Server side attacks. I am embedding the slides of their presentation and a video demo of HPP against Yahoo! Mail. You can find more information about the attack on Stefano's blog.