Wednesday, 20 May 2009
HPP and Fortify
« Busting the Fortify Myth | Main | Rulepack update: soundtrack and bonus material »
At OWASP AppSec Poland 2008, Stefano Di Paola and Luca Carettoni presented
their work titled "HTTP Parameter Pollution" (HPP)
. In essence, they inject multiple parameters with the same name in the HTTP
request (in the query string, in the cookies and in the body of the request)
and find that different pieces of software make different choices about
which parameter value to use. They were able to exploit this condition in a
number of applications, sometimes circumventing security mechanisms, and
sometimes defeating security products.
As the presentation shows, WAF vendors have some patching to do as their protection mechanism is broken. WAFs do not take program context into consideration which makes them vulnerable to this type of attack. Actually, it is unclear to me how they can fully patch a WAF to capture any instance of this attack. Without knowing which instance of a parameter the program is going to use, how can you know what to protect?
As for Fortify, our Real Time Analysis (RTA) operates in the application itself, it does take context into consideration. In other words, we see parameter values the same way the rest of the program sees them. RTA doesn't kick in until the decoding of the request is done, and like in this case until a value is assigned to a variable in the program, so this just isn't a problem we have.
As the presentation shows, WAF vendors have some patching to do as their protection mechanism is broken. WAFs do not take program context into consideration which makes them vulnerable to this type of attack. Actually, it is unclear to me how they can fully patch a WAF to capture any instance of this attack. Without knowing which instance of a parameter the program is going to use, how can you know what to protect?
As for Fortify, our Real Time Analysis (RTA) operates in the application itself, it does take context into consideration. In other words, we see parameter values the same way the rest of the program sees them. RTA doesn't kick in until the decoding of the request is done, and like in this case until a value is assigned to a variable in the program, so this just isn't a problem we have.
Technorati Tags: hpp rta waf
Posted by at 8:13 PM in Fortify
[Trackback URL for this entry]
