Today there was a posting by Stefano di Paola to the Web Security
Mailing List,
http://www.webappsec.org/lists/websecurity
about “HTTP Parameter Pollution”, with a reference to his and Luca
Carettoni presentation at
http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf
The point is that different web servers/backends behave differently when
handling requests such as
GET /foo?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
POST /foo HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
Content-Length: 19
par1=val1&par1=val2c
The point is that the same key (here par1) occurs with two or more
values. They document both server and client side attacks based on this.
On page 9 the presentation lists many http servers/backends, but not
Rails (instead, the Linksys Wireless-G PTZ Internet Camera is
included:-). I believe Rails falls under “Last occurrence”, and I think
that works out well.
In particular, I see Rails handling requests such as
http://localhost:3000/login?controller=other_controller&action=other_action&action=another_action
just fine – the controller/action one expects is invoked (here,
login/index).
However I couldn’t find the behaviour with respect to such multiple
key-value assignments, or attempts at overriding the “Rails special”
controller/action keys, covered in the actionpack unit tests.
Can you make out any security problems?
Stephan