Ivan Marković

Security consultant and researcher

Long experience in designing and implementation of security solutions, mainly oriented on web, mobile and embedded applications. Author of penetration testing tools, recognized by OWASP organization and BackTrack Linux distribution. Researching work includes discovery of vulnerabilities of numeral applications and services, and for these, author received public apreciations by Microsoft Company..

Contact via Linkedin or read interesting staff on Twitter.

Http Parameter Contamination

Http Parameter Contamination - Research paper
Ivan Markovic <ivanm@security-net.biz>
Serbia, year 2011

Table of contents:

- Introduction to Http Parameter Contamination (HPC)
- Web Server Enumeration
- Web Application Firewall (WAF) Bypass Proof Of Concept
- Real world examples
- Conclusion and further research
- Credits

= Introduction to Http Parameter Contamination (HPC)

In software engineering, multi-tier architecture is a client and server architecture in which the presentation,
the application processing, and the data management are logically separate processes. Multi-tier
application architecture provides a model for developers to create a flexible and reusable application. By
breaking up an application into tiers, developers only have to modify or add a specific layer, rather than
have to rewrite the entire application over. Differences in handling the same data on variety of
platforms can lead to a potential logical error or security vulnerability.

Let's examine Web Service deployment tiers:

.CLIENT.TIER.             .APPLICATION.TIER.                 .DATA.TIER.

Proprietary |             Microsoft IIS  [.NET]|             Relational DB |
Application |             -------------        | <-  SQL  -> --------------|
------------|             Apache Axis    [J2EE]|             XML Data Store|
Web Browser | <- SOAP ->  -----------          | <-  XML  -> --------------|
------------|             WebLogic [COLDFUSION]|             FS Data Store |
External Web|             --------             | <-  SOAP -> --------------|
Service     | <-HTTP/S->  WebSphere       [PHP]|             Web Services  |
------------|             ---------      [PERL]| <-Adapter-> --------------|
External Web|             Zope         [PYTHON]|             Legacy        |
Application |             ----                 |             Applications  |
------------|             ---------------------|             --------------|

Adding more flexible layers may potentially open doors to many new forms of abuse and attack vectors.
Rapid application development and technology growth makes security development lifecycle almost
impossible to apply. After some time all bugs gets fixed.

But, what with weaknesses that exist for many years in the most popular protocol on the web like HTTP?
Two years ago we have witnessed new approach that exploits logic weakness in HTTP by manipulating
query string delimiters (&): HTTP PARAMETER POLLUTION.

In a nutshell, Http Parameter Pollution inserts additional query string delimiters or additional
parameters with the same name in HTTP request to bypass some security restrictions as a result of
platform specific behavior or application error.

HTTP PARAMETER CONTAMINATION (HPC) original idea comes from the innovative approach found in
HPP research by exploring deeper and exploiting strange behaviors in Web Server components, Web
Applications and Browsers as a result of query string parameter contamination with reserved or non
expected characters.

Some facts:

- The term Query String is commonly used to refer to the part between the ? and the end of the URI
- As defined in the RFC 3986, it is a series of field-value pairs
- Pairs are separated by & or ;
- RFC 2396 defines two classes of characters:
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( )
Reserved: ; / ? : @ & = + $ ,
Unwise: { } | ^ [ ] `

= Real world examples

{1} Bypass Mod_Security SQL Injection rule (modsecurity_crs_41_sql_injection_attacks.conf)

Forbidden: http://localhost/?xp_cmdshell
Bypassed ([ => _): http://localhost/?xp[cmdshell

[Sun Jun 12 12:30:16 2011] [error] [client] ModSecurity: Access denied with code 403 (phase 2). Pattern match
"bsys.user_objectsb" at ARGS_NAMES:sys.user_objects. [file "/etc/apache2/conf.d/crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "110"] [id "959519"] [rev "2.2.0"] [msg "Blind SQL Injection Attack"] [data "sys.user_objects"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "localhost"] [uri "/"] [unique_id "TfT3gH8AAQEAAAPyLQQAAAAA"]

{2} Bypass URLScan 3.1 DenyQueryStringSequences rule

Bypassed (.%. => ..):

2011-06-25 13:35:37 1 GET /test.asp?file=../bla.txt Rejected disallowed+query+string+sequence query+string - ..

= Credits

Many thanks to: RSnake (http://ha.ckers.org/), j0rgan (http://www.remote-exploit.org/?page_id=2) and
lightos (http://sla.ckers.org/forum/read.php?3,36640) for their support during this research.

= Links

Link to full document: Http Parameter Contamination