Shritam Bhowmick Explains HTTP Parameter Contamination

HTTP Parameter Contamination

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Earlier on my previous post about Enterprise HTTP Security, I described how HTTP Security is a fine clockwork for an application penetration tester; this post would look into deeper aspect of HTTP Security and how logical manipulation of HTTP could be potentially used by an attacker to manifest the underlying application level vulnerabilities bypassing any security restrictions which were in place originally.

In terms of application development during the standard phases, multi-tier application architecture is prevalent. The multi-tier architecture is a client-server architecture, where the presentation, the application processing and the data management is a complete separate processes. In basic terms, the multi-tier architecture are convenient for developers. The reason they are convenient for developers is the fact that developers have to re-use code and develop applications in which the whole application framework needn’t have to be written all over again. They could only modify parts of the application architecture based on tiers and profit flexibility in the use of such applications. The unfortunate part is the handling of the same data over multiple platform can lead to security breach, or leave the application vulnerable. Logical errors are triggered this way and are completely different from Injection based attacks such as:

  • LDAP/Blind LDAP Injections
  • XML Injection
  • HTML Injection
  • SQL Injection
  • ORM based Injection
  • Spring Injection/nHibernate Injection
  • Xpath Injection
  • Command Injection

All of the above mentioned ‘injection’ variants fall into code level application vulnerabilities and is completely different from ‘logical’ vulnerabilities which still have a greater level of impact on the web applications. During my old research at early phases of dissection behavioral pattern of different platform based application on different web-architectures, I found these led to couple of logical based vulnerabilities which could be used by an attacker for benefits. This lead self-curiosity to further research and I came up concluding something which already existed called ‘HTTP Parameter Contamination or HPC’. During my research at Defencely, I found out this particular attack methodology does not only rely on a specific platform but is widely used across many other different web based platforms, such as PHP on Apache, ASP.NET on IIS, etc.

Continue reading

Advertisements

Enterprise HTTP Security Inspection for Realistic Application Security

The need for HTTP Security Inspection on Application Security

By Shritam Bhowmick
Web Application Penetration Tester
LinkedIn: https://www.linkedin.com/profile/view?id=281014248&trk=nav_responsive_tab_profile
Academia: https://independent.academia.edu/ShritamBhowmick
Facebook: https://www.facebook.com/coded32

Application Layer – HTTP from the Security Perspective

An Application Layer is the first layer which need a security check which just goes beyond any other common checks. Somehow, automated scanners might do this as pre-defined in the programmed logic, but most of them fail to find the bugs which passes through the HTTP Handler and hence create critical vulnerabilities for business enterprise. Yes, I had been talking about Hyper Text Transfer Layer Protocol, which is by now the most common, wildly wide used text based protocol around the internet. Web Applications use the text based protocol since it’s easier to implement and handle parallel requests. The Web Server handles these requests which are made by the clients and penetration testers often ignore a variety of checks against HTTP from the security perspective. Once, an application penetration is fairly grown studying HTTP at a deep level, he/she could already understand why a particular request could be manipulated by client side proxy in multiple of ways and produce a critical security bypass.

Before I jump into concluding the security aspects of the Hyper Text Transfer Protocol, my application security research have shown a comprehensive study of where to start from HTTP from the security standpoint. This question has been asked a lot of times and people have failed to come up with an exact method to detail everything in one book or post. This study is more of a guideline for application penetration testers rather than a reference study; but either way it could be used both the ways. I had prepared a standard draft for HTTP Security Research in topic segments which if wished could be sub-categorized but for the sake of the reference and a guide, I have detailed them into modular topics which could be used by any application security researcher, bug hunter, or application security enthusiast for their own analysis.

badlyart

Continue reading