Testing for HTTP Parameter pollution (OWASP-DV-004)

Revision as of 11:53, 21 August 2013 by Ben Walther (Talk | contribs)

Jump to: navigation, search
This article is part of the new OWASP Testing Guide v4. 
At the moment the project is in the REVIEW phase.

Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: http://www.owasp.org/index.php/OWASP_Testing_Project


Brief Summary

Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors, or modify internal variables values.

Description of the Issue

Current HTTP standards do not include guidance on how to interpret multiple input parameters with the same name. Without a standard in place, web applications handle this edge case in a variety of ways (see the table below for details). It is not necessarily an indication of vulnerability when an application server responds to multiple similar parameters; this is expected behavior for handling an unusual input. The vulnerability depends if an one can abuse the concatenation or substitution of variable values to cause errors or bypass validation.

For example, when using the Zope platform (written in the Python programming language), multiple string parameters are assembled into a List data structure. Because Python is dynamically typed language, this can expose errors when the code expects a string and receives a List instead. Depending on where this error

Given the URL and querystring: http://example.com/?color=red&color=blue

Web Application Server Backend Parsing Result Example
ASP.NET / IIS All occurrences concatenated with a comma color=red,blue
ASP / IIS All occurrences concatenated with a comma color=red,blue
PHP / Apache Last occurrence only color=blue
PHP / Zeus Last occurrence only color=blue
JSP, Servlet / Apache Tomcat First occurrence only color=red
JSP, Servlet / Oracle Application Server 10g First occurrence only color=red
JSP, Servlet / Jetty First occurrence only color=red
IBM Lotus Domino Last occurrence only color=blue
IBM HTTP Server First occurrence only color=red
mod_perl, libapreq2 / Apache First occurrence only color=red
Perl CGI / Apache First occurrence only color=red
mod_wsgi (Python) / Apache First occurrence only color=red
Python / Zope All occurrences in List data type color=['red','blue']

(source: Media:AppsecEU09_CarettoniDiPaola_v0.8.pdf )

Black Box testing and example

Testing for Topic X vulnerabilities:
Result Expected: