New attacker module which scans for HTTP Header Pollution

[rliebig]

HTTP Header Pollution is a attack where a HTTP Parameter(Post and GET) is repeated again. As example, http://localhost/xss?username=nowhere&username=shown. The only valid response would be a error, however it isn't some pages only return the last/first occurence of this string. This should be checked.

Intresting Links:

• http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
• http://www.acunetix.com/blog/whitepaper-http-parameter-pollution/
• http://capec.mitre.org/data/definitions/460.html

[phihag]

It's perfectly fine for a web application to allow multiple instances of the same key in a query string. The vulnerability here is either

1. Multiple components parsing the query string with a different logic
2. Frameworks doing interesting things (typically constructing a list) when a parameter is given multiple times, and application writers handling this incorrectly

In many cases, the actual vulnerability is something else entirely; it is insufficient encoding. When user input ends up in an URL, it must be URL-encoded first, and then HTML-encoded.