Airing

Airing

哲学系学生 / 小学教师 / 程序员,个人网站: ursb.me
github
email
zhihu
medium
tg_channel
twitter_id
Home周刊哲思编程年记作品Archives

Examples and Prevention of HPP Attacks

#编程#前端43
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
HPP, or HTTP Parameter Pollution, is a type of injection vulnerability where an attacker inserts specific parameters into an HTTP request to bypass certain protection and parameter validation. It can lead to unexpected behavior, such as redirecting to a different website. The prevention of HPP depends on how the backend handles multiple parameters with the same name. It is important for the backend to properly validate input parameters to prevent HPP vulnerabilities.

Principles of HPP Attacks#

HPP, which stands for HTTP Parameter Pollution, refers to the pollution of HTTP parameters. In the HTTP protocol, when parameters with the same name are allowed to appear multiple times, attackers can exploit this by transmitting parameters with the same key but different values, thereby bypassing certain protections and parameter validations. It is a type of injection vulnerability, where attackers launch attacks by inserting specific parameters into HTTP requests.

Here's an example:

In 2015, someone discovered the HPP vulnerability in the HackerOne social sharing button (https://hackerone.com/reports/105953).

In the vulnerability report, the URL:

https://hackerone.com/blog/introducing-signal

was modified to:

https://hackerone.com/blog/introducing-signal?&u=https://me.ursb.me

When analyzing the content through social media links, this link becomes:

https://www.facebook.com/sharer.php?u=https://hackerone.com/blog/introducing-signal?&u=https://me.ursb.me

Here, the final parameter "u" will have a higher priority than the first one. When sharing on Facebook, Facebook will redirect to https://me.ursb.me instead of hackerone.

Here's a small demo to vividly reproduce this problem:

const express = require('express')
const bodyParser = require('body-parser')
const app = express()

app.use(bodyParser.json())

app.post('/login', (req, res, next) => {
  const { account } = req.body
  return res.json({ message: `login successful: ${account}` });
})

app.listen(3000)

Request this simulated login interface. Assuming the user enters "airing" in the frontend as the intended login account, the request is tampered with and includes two identical "account" parameters, one with a value of "airing" and the other with a value of "ursb". Without validation on the backend, the final login will be "ursb" instead of "airing".

POST /login HTTP/1.1
Host: localhost:3000
Content-Type: application/json

{
    "account": "airing",
    "account": "ursb"
}


HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: application/json; charset=utf-8
Content-Length: 35
ETag: W/"23-/iZ+yuhJ7IhuWOkYuK395opzCZI"
Date: Thu, 11 Apr 2019 13:09:53 GMT
Connection: close

{
  "message": "login successful: ursb"
}

Measures to Prevent HPP#

The behavior of HPP mainly depends on how the backend handles multiple parameters with the same name. Different servers have different ways of handling this.

We need to be aware that the HTTP protocol allows parameters with the same name. Throughout the application's processing, we need to be aware of this and handle such situations correctly based on the characteristics of the business. Of course, to prevent HPP vulnerabilities, it is crucial for the backend to validate input parameters properly.

References#

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.