"Brother Yong and you talk Safety" series--talk about the pollution of HTTP parameters

In this issue, brother wants to talk to you about HTTP parameter pollution and its defense methods. First of all, Brother Yong needs to point out that the HTTP parameter pollution is not a vulnerability, but the server side according to the different configuration of the different features. If the site has SQL injection or a vulnerability such as XSS, and there are appropriate safeguards, HTTP parameter contamination may help attackers bypass these defenses.

HTTP parameter pollution, simply speaking, is to assign a parameter to two or more than two values. The current HTTP standard does not mention what to do if multiple input values are encountered to assign values to the same parameter. Therefore, Web program components do not have exactly the same approach when encountering such problems.

First, let's take a look at the different personalities that different websites show when dealing with such situations. When the input URL is Www.baidu.com/s?tn=baidusite&word=usa&word=china, the keyword that needs to be searched at this time, namely the parameter Word assigns two values, respectively is the USA and the China, It can be seen that Baidu will accept the first parameter (that is, USA) and discard the second parameter (that is, China)

The same example is used for Yahoo, when the URL is Search.yahoo.com/search?p=usa&p=china, the search keyword in the URL of the variable is P, two times assigned to the USA and China, from the results are visible, Yahoo will accept the last parameter (that is, China) and discard the first parameter (that is, USA)

The last example from Google,url is Www.google.com.hk/search?q=usa&q=china, and the corresponding variable in the URL for the search keyword is q, and we assign it to USA and China, respectively. From the search results, Google will accept two values, and a space to connect two parameters together to form a parameter.

The following table briefly lists some common Web servers that have handled the same name parameter multiple times:

Web server	Parameter Get function	The parameters that are obtained
Php/apache	$_get ("par")	Last
Jsp/tomcat	Request.getparameter ("par")	First
Perl (CGI)/apache	Param ("par")	First
Python/apache	Getvalue ("par")	All (List)
Asp/iis	Request.QueryString ("par")	All (comma-delimited string)

With the HTTP parameter pollution as an aid, the attackers have successfully bypassed the defenses, and then brother Yong shares a couple of real-life cases with you:

Case One

In 2009, modsecurity filters classify statements similar to select1,2,3 from table as blacklists. The request is blocked when the Web server encounters a statement such as/index.aspx?page=select. However, when the Web server encounters a different value for the same parameter, it connects them, which can be used by an attacker to bypass the blacklist. For example, submit the following URL:

/index.aspx?page=select 1&page=2,3from Table

First of all, this is not the blacklist mode, does not trigger the blacklist interception function. Second, the SQL injection behavior can be executed because the Web program takes a connection operation to connect the contents of the & before and after the symbol.

Case Two

This case is about Apple cups, which is a printing system used by many UNIX systems. Trigger an XSS attack using the following method:

Http://127.0.0.1:631/admin/?kerberos=onmouseover=alert (1) &kerberos

This method bypasses the system's validation mechanism because the verification system only incorporates the value of the second Kerberos, which is null and therefore does not fire. The first Kerberos is not validated until it is used to build Dynamic HTML content. The JavaScript statement is eventually executed in the context of the Web site.

How to defend, Brother Yong suggested:

In summary, there are two ways to prevent such attacks: the first is to have a WAF or other gateway device (such as IPs) treat the same parameter more than once when it checks the URL. Because the HTTP protocol allows the same parameters to appear more than once in the URL, this special processing needs to be careful to avoid the case of manslaughter; the second method is at the code level, when writing a Web program, to obtain the parameter values in the URL by a reasonable $_get method. You should be careful when trying to get other values that the Web server returns to the program.

For the above case, for the first case, because of the server characteristics, the attack characteristics can avoid some security products, but the features will eventually be reorganized, so code-level checks can effectively protect against such attacks. In the second case, because HTTP parameter pollution is used in conjunction with other Web attack methods to circumvent the protection, the most effective way to prevent hackers from using HPP is to use rigorous coding to make the Web program non-existent security holes. For example, in case two above, it is through HTTP parameter pollution to help attackers bypass protection for XSS attacks, if the Web program to remove the variables from the URL is safe to escape, then the XSS vulnerability does not exist, HTTP parameter pollution of the bypass method is meaningless. For the second attack scenario, the attack feature is relatively complete because the attack features are assigned to specific variables, and the Web protection features of IPs and WAF products can effectively protect against such attacks.

So what is the HPP parameter pollution?

Suppose this url:http://www.xxxx.com/search.php?id=110&id=911

Baidu will understand to let Baidu search: #选择了第一个参数, give up the second parameter.

Yahoo will understand to let Yahoo search: 911 #选择了第二个参数, give up the first parameter.

Google will understand to let Google search: 911 #两个参数同时选择.

The main thing is these three kinds of situations.

This is mainly due to different sites dealing with the processing parameters of different ways. PS: With Miguel study together, summed up Rice elder brother's, feel I summarize or owe proper.

So how is injection related to HTTP pollution?

In the third case, the first parameter takes the second argument. So let's see the URL below.

Http://www.xishaonian.com/hello.php?id=select 1&id=2,3,3 from admin

This condition can also be used for bypass WAF.

Of course, it can also be combined with XSS.

Specific service-side processing methods are as follows:

Web server	Parameter Get function	The parameters that are obtained
Php/apache	$_get ("par")	Last
Jsp/tomcat	Request.getparameter ("par")	First
Perl (CGI)/apache	Param ("par")	First
Python/apache	Getvalue ("par")	All (List)
Asp/iis	Request.QueryString ("par")	All (comma-delimited string)

"Brother Yong and you talk Safety" series--talk about the pollution of HTTP parameters