How to use a Waf against HTTP Parameters Pollution

HTTP Parameters pollution is a way to use query string/POST/Cookies variables to attack an application. It has been presented during OWASP EU 2009 by Stephano di Paola and Luca Carettoni. You can find the presentation here

Two example of HTTP Parameters pollution:

First, you can use a variable more than one time and depending on the framework or language, the differents value of this variable will be concatenated.

index.asp?var1=val1&var2=val2&var1=val3 will result in index.asp?var1=val1+val3

Then you can also try to bruteforce some variables name to find ones used by the application but which is not exposed in a query string.

Example:

index.php?db_login=test&db_password=test will maybe gives an error of authentication failed on the database.

A Web application firewall is able to filter each part of an HTTP request. It can work on a positive model, to allow requests if they respect positive format, and it can block requests if they are matching a negative format.

In this case, to block HTTP Parameters pollution, you need to use a set of positive rules on your web application firewall. These two points will help you to be protected against HTTP Parameters pollution.

• Learn the different variables used by the different scripts. Your WAF should be able to do this and then limit usage to learnt variables. In this case, you will block variables used in code and which are tried to be accessed by query string, post'ed data or cookies. For example, a query string containing ?id=543&component=gallery&db_login=test will be blocked because "db_login" is a parameter never seen during the learning period, it's not the normal behavior of the application. If the url doesn't contain ONLY learnt parameters, it will be blocked.
  

• Enable request sanitization to block request containing two or more variables which the same name in the same request. Your waf should be able to do this and/or should be able to concatenate values to control what the application will use. For example, ?id=543&component=gallery&picture=1'%20O&picture=R%201=1 will be transformed by the WAF parsing into ?id=543&component=gallery&picture=1'%20OR%201=1 and the attack will be detected as SQL Injection
  

A WAF is able to work with positive security policies, which can be more or less strict, depending on how it's builing positive rules. Many automated processes can build for you this variables and parameters list. Depending on the WAF, this kind of setup can be more or less time consuming.