Back

HTTP Parameter Pollution (HPP)

๐Ÿ” Introduction

HTTP Parameter Pollution(HPP)๋Š” ์ค‘๋ณต๋œ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์ด ์ฒ˜๋ฆฌํ•˜๋Š” ๋ฐฉ์‹์˜ ์ฐจ์ด๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. ์ •ํ™•ํ•˜๊ฒŒ๋Š” ํŠน์ • ๋ฆฌ์Šคํฌ๋ฅผ ๊ฐ€์ง„ ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ด๋ผ๊ธฐ ๋ณด๋‹จ ๋‹ค๋ฅธ ์ทจ์•ฝ์ ์œผ๋กœ ์—ฐ๊ฒฐํ•˜๊ธฐ ์œ„ํ•œ ํŠธ๋ฆญ์œผ๋กœ ์‚ฌ์šฉ๋˜๋ฉฐ, ๋™์ผํ•œ ์ด๋ฆ„์˜ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์ค‘๋ณต์œผ๋กœ ์ „์†กํ•˜์—ฌ ์„œ๋น„์Šค์˜ ์˜๋„ํ•˜์ง€ ์•Š์€ ์ฒ˜๋ฆฌ๋ฅผ ์œ ๋„ํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

Normal request

GET https://www.hahwul.com/?q=1234 HTTP/1.1

HPP request

GET https://www.hahwul.com/?q=1234&q=4444 HTTP/1.1

๐Ÿ—ก Offensive techniques

Detect

ํŠน์ • ๊ธฐ๋Šฅ๋“ค์— ๋™์ผํ•œ ์ด๋ฆ„์˜ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ๋ณต์ˆ˜๋กœ ๋ณด๋‚ด์„œ ๋ฐ˜์‘์„ ์‚ดํŽด๋ด…๋‹ˆ๋‹ค. ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์— ๋”ฐ๋ผ ์ฒ˜๋ฆฌ ๋ฐฉ๋ฒ•์ด ์ƒ์ดํ•˜๋ฉฐ, ์ด๋ฅผ ์ด์šฉํ•˜๋ฉด 2๊ฐœ์˜ ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์ด ๋‹ค๋ฅธ ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์„ ๋ณด๋„๋ก ์œ ๋„ํ•  ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

Technology Parsing Result outcome (par1=)
ASP.NET/IIS All occurrences a,b
ASP/IIS All occurrences a,b
PHP/Apache Last occurrence b
PHP/Zues Last occurrence b
JSP,Servlet/Tomcat First occurrence a
Perl CGI/Apache First occurrence a
Python Flask First occurrence a
Python Django Last occurrence b
Nodejs All occurrences a,b
Golang net/http - r.URL.Query().Get("param") First occurrence a
Golang net/http - r.URL.Query()["param"] All occurrences a,b
IBM Lotus Domino First occurrence a
IBM HTTP Server First occurrence a
Perl CGI/Apache First occurrence a
mod_wsgi (Python)/Apache First occurrence a
Python/Zope All occurences in array [‘a’,‘b’]

๋˜ํ•œ ์ผ๋ถ€๋Š” ๋ฐฑ์—”๋“œ์—์„œ Array ํ˜•ํƒœ๋กœ ์ฒ˜๋ฆฌ๋˜๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ์ด์šฉํ•˜์—ฌ IDOR ๊ณผ ๊ฐ™์ด ํƒ€ ๊ถŒํ•œ์— ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ๋„๋ก ์œ ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Bypass protection

์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ์ฒ˜๋ฆฌ ๋ฐฉ์‹, ๊ทธ๋ฆฌ๊ณ  HPP๋ฅผ ํ†ตํ•ด ์–ป๊ณ ์ž ํ•˜๋Š” ์ทจ์•ฝ์ ์— ๋”ฐ๋ผ์„œ ๋ฐฉ๋ฒ•์ด ์ƒ์ดํ•ฉ๋‹ˆ๋‹ค. ํ•œ๊ฐ€์ง€ ์˜ˆ์‹œ๋ฅผ ๋ณด์—ฌ๋“œ๋ฆฌ๋ฉด, HPP๋ฅผ ์ด์šฉํ•ด์„œ Host validation์„ ์šฐํšŒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ผ๋ถ€ ์„œ๋น„์Šค๋Š” ๋™์ผ ์ด๋ฆ„์˜ ํŒŒ๋ผ๋ฏธํ„ฐ๊ฐ€ ์กด์žฌํ•˜๋Š” ๊ฒฝ์šฐ Array ํ˜•ํƒœ๋กœ ์ฒ˜๋ฆฌํ•˜๊ฒŒ ๋˜๋Š”๋ฐ, @์™€ ํ•จ๊ป˜ HPP ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ๊ตฌ์„ฑํ•ด์„œ ์•„๋ž˜์™€ ๊ฐ™์ด ์‹ค์ œ ๋„๋ฉ”์ธ ๊ฒ€์ฆ์€ ์šฐํšŒํ•˜๊ณ , ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ํŽ˜์ด์ง€๋กœ ์ด๋™ํ•  ์ˆ˜ ์žˆ๋„๋ก ๊ตฌ์„ฑํ•ด๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Request

GET /?url=https://trusted.domain&url=@untrusted.domain

Backend

url: https://trusted.domain,@untrusted.domain

์ž์„ธํ•œ ๋‚ด์šฉ์€ ํ•ด๋‹น ํฌ์ŠคํŠธ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

๐Ÿ›ก Defensive techniques

HPP๋กœ ์ธํ•œ ๊ณต๊ฒฉ์ด ๋ฐœ์ƒํ—€๋‹ค๋ฉด, ๋™์ผ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ์ฒ˜๋ฆฌํ•˜๋Š” ๋ฐฉ์‹์— ๋ณ€ํ™”๋ฅผ ์ฃผ์–ด์•ผํ•ฉ๋‹ˆ๋‹ค. ์ด๋Š” HPP๋กœ ๋ฐœ์ƒํ•˜๊ฒŒ ๋˜๋Š” ์—ฌ๋Ÿฌ๊ฐ€์ง€ ์ทจ์•ฝ์ ์— ๋”ฐ๋ผ ๋Œ€์‘ ๋ฐฉ๋ฒ•์ด ์ƒ์ดํ•˜๊ฒ ์ง€๋งŒ, ํŒŒ๋ผ๋ฏธํ„ฐ๋‹จ์—์„œ ๋Œ€์‘์ด ํ•„์š”ํ•˜๋‹ค๋ฉด ๋™์ผํ•œ ์ด๋ฆ„์˜ ํŒŒ๋ผ๋ฏธํ„ฐ ๊ฐ’์ด ๋“ค์–ด์˜ฌ ์ˆ˜ ์žˆ๋‹ค๊ณ  ๊ฐ€์ •ํ•˜๊ณ  ๊ฐœ๋ฐœ์„ ์ง„ํ–‰ํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ•น Tools

  • ZAP, Burpsuite ๋“ฑ ๋Œ€๋‹ค์ˆ˜ ๋„๊ตฌ์—์„œ ์ด๋ฅผ ํƒ์ง€ํ•ฉ๋‹ˆ๋‹ค.

๐Ÿ“š Articles

๐Ÿ“Œ References

Licensed under CC BY-NC-SA 4.0
Last updated on Oct 24, 2021 18:30 +0900