Automated Detection of HPP Vulnerabilities in Web Applications

Black Hat USA 2011

Presented by: Marco Balduzzi
Date: Thursday August 04, 2011
Time: 16:45 - 18:00
Location: Roman
Track: Web Hacking

HTTP Parameter Pollution (HPP) is a recent class of web vulnerabilities that consists of injecting encoded query string delimiters into other existing HTTP parameters. When a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks.

To begin with, I introduce HTTP Parameter Pollution by analyzing different real attacking scenarios and discussing the problems that may face. I will then present the first automated system, called PAPAS that we designed for the detection of HPP flaws in real web applications. PAPAS combines a modified version of Firefox with a crawler and two scanners in order to analyze web pages efficiently for the presence of vulnerable parameters that can be injected with arbitrary HPP payloads.

PAPAS has been used to conduct a large-scale experiment of the Internet by testing more than 5,000 popular websites and discovering unknown HPP bugs in many important and well-known sites such as Facebook, Google and Paypal.

The talk features a live demo of PAPAS, which has been made available as a free-to-use service recently. I will conclude the talk by discussing the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities.

Marco Balduzzi

Marco Balduzzi holds an MSc. in computer engineering and has been involved in IT-Security for more then 8 years with international experiences in both industrial and academic fields. He worked as security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, in south France, before joining EURECOM and the International Secure Systems Lab as Ph.D. researcher. He attended well-known and high-profile conferences all over (Blackhat, OWASP AppSec, NDSS) and currently speak five different languages. Being a Free Software sympathizer, in the year 2K, he cofounded the Bergamo Linux User Group and the University Laboratory of Applied Computing. In former times, he was an active member of several open-source projects and Italian hacking groups.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats