HTTP Headers Pollution (server output pollution)

After reading http://www.acunetix.com/blog/whitepaper-http-parameter-pollution/ I’ve tried to check that one for HTTP headers. So, with Apache/2.2.15 (CentOS) and PHP 5.3.6 I’ve received next result:
Image
So, we can watch the difference between http parameter pollution and http headers pollution for Apache/PHP. In case of HPP with combo PHP/Apache appears only last occurrence of user input in request, and in HHP there is another situation, in which we ca see input concatenation with comma sign. This fact can be very usefull for filters bypassing in some cases.

UPDATE: It can be used for application flow manipulation (not only). For example in cases, in which length of each headers (as element of headers array) checks separately for each header, but subsequently final header used in a way presented on the image above. I didn’t look source codes of Apache closely, but possibly it may be usefull for bypassing latest patch for CVE2012-0053 vulnerability, in which length of value of cookie header (each? final?) must to be less than 80 chars.

P.S. Probably, the reason is depended of the web-server version, but may be this is the same thing exists in older versions.

Tagged , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: