Re: [WEB SECURITY] HPP protection

[lavakumar kuppan <lavakumar.in@xxxxxxxxx>]

--00032555a34282e3930478072a66
Content-Type: text/plain; charset=ISO-8859-1

Hi,

Sure enough the concatenation is done at the webserver level but the outcome
of that, i.e., concatenated values are used at application level.

It is very trivial to detect an HPP attack, if you are looking to check for
HPP attack against a specific querystring parameter, say of name "a" then
you could do this:

*if Request.QueryString("a").Count > 1 then*
*   // HPP injection or your are accepting data from multi-select input box*
*else*
*  // all is well, no HPP injection*
*end if*

You can extend this all parameters by adding something this to all pages
*
*
*dim counter*
*for each counter in Request.QueryString*
*        if Request.QueryString(counter).count > 1*
*             // HPP injection or your are accepting data from multi-select
input box*
*        else*
*             // all is well, no HPP injection *
*        end if*
*next*


The same can be extended for form and cookie parameters.

Hope this helps.

Cheers,
Lava


On Tue, Nov 10, 2009 at 8:01 PM, application.secure application.secure <
application.secure@gmail.com> wrote:

> Hello,
>
> I was implementing a protection against HPP for an IIS-ASP website.
> After 1 our of work, I'm understanding that it's not possible to build this
> kind of protection at application level...
> Of course, the concatenation of string is done at webserver level... so
> before my application(detection) process...
> ;)
>
> HPP is an application attack pattern which can not be detected at
> application level.
>
> Am I right?
>

--00032555a34282e3930478072a66
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,<div><br></div><div>Sure enough the concatenation is done at the webserv=
er level but the outcome of that, i.e., concatenated values are used at app=
lication level.</div><div><br></div><div>It is very trivial to detect an HP=
P attack, if you are looking to check for HPP attack against a specific que=
rystring parameter, say of name &quot;a&quot; then you could do this:</div>
<div><br></div><div><i>if Request.QueryString(&quot;a&quot;).Count &gt; 1 t=
hen</i></div><div><i>=A0=A0 // HPP injection or your are accepting data fro=
m multi-select input box</i></div><div><i>else</i></div><div><i>=A0=A0// al=
l is well, no HPP injection</i></div>
<div><i>end if</i></div><div><br></div><div>You can extend this all paramet=
ers by adding something this to all pages</div><div><div><i><br></i></div><=
div><i>dim counter</i></div><div><i>for each counter in Request.QueryString=
</i></div>
<div><i>=A0=A0 =A0 =A0 =A0if=A0Request.QueryString(counter).count &gt; 1</i=
></div><div><i>=A0=A0 =A0 =A0 =A0 =A0=A0=A0 // HPP injection or your are ac=
cepting data from multi-select input box</i></div><div><i>=A0=A0 =A0 =A0 =
=A0else</i></div><div><i>=A0=A0 =A0 =A0 =A0 =A0 =A0 // all is well, no HPP =
injection=A0</i></div>
<div><i>=A0=A0 =A0 =A0 =A0end if</i></div><div><i>next</i></div></div><div>=
<br></div><div><br></div><div>The same can be extended for form and cookie =
parameters.</div><div><br></div><div>Hope this helps.</div><div><br></div><=
div>Cheers,</div>
<div>Lava</div><div><br><br><div class=3D"gmail_quote">On Tue, Nov 10, 2009=
 at 8:01 PM, application.secure application.secure <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:application.secure@gmail.com";>application.secure@gmail.com<=
/a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex;">Hello,<br><br>I was implementing a protecti=
on against HPP for an IIS-ASP website.<br>After 1 our of work, I&#39;m unde=
rstanding that it&#39;s not possible to build this kind of protection at ap=
plication level...<br>
Of course, the concatenation of string is done at webserver level... so bef=
ore my application(detection) process...<br>
;)<br><br>HPP is an application attack pattern which can not be detected at=
 application level.<br><br>Am I right?<br>
</blockquote></div><br><br>
</div>

--00032555a34282e3930478072a66--