Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

In this paper, we present the first automated approach for the discovery of HTTP Parameter Pollution vulnerabilities in web applications.Using our prototype implementation called PAPAS(PArameter Pollution Analysis System),we conducted a large-scale analysis of more than 5,000 popular
websites.Our experimental results show that about 30% of the websites that we analyzed contain vulnerable parameters and that 46.8% of the vulnerabilities we discovered (i.e., 14% of the total websites) can be exploited via HPP attacks.The fact that PAPAS was able to find vulnerabilities in many high-profile, well-known websites suggests that many developers are not aware of the HPP problem.We informed a number of major websites about the vulnerabilities we identified,and our findings were confirmed

Download: PDF

PAPAS: PArameter Pollution Analysis System (Beta)