At the OWASP AppSec Europe, researchers demonstrated a very interesting otherwise underestimated issue. Although not a new attack category but quite dangerous if executed flawlessly.
It exploits the fact how does your application behaves when receives multiple parameters with same name in same URL.
For example, .../bank.php?action=view&accID=101&action=withdraw
In URL above two one parameter 'action' has multiple occurrences with same name in same URL.
What will the web application do? It can do one of the following depending on the environment it is using:
- It may only take the data from the first parameter
- It may take the data from the last parameter
- It may take the data from all parameters and concatenate them together
Using this technique even WAF (Web Application Firewall) can be evaded, it won't filter the request.
Suppose a WAF is designed to detect and filter out attacks like SQL injection:
The attacker now passes two parameters with same name 'q' then the query will be:
If a negative security filter is applying a regex that looks for say a SELECT followed by a FROM to each individual parameter value then it would miss this attack.
The best approach to this issue is to use automated learning/profiling of the web application to identify if multiple occurrences of parameters is normal or not. Most web application firewalls, for instance, gather basic meta-data characteristics of parameters such as the normal size of the payloads or the expected character sets used (digits only vs. alphanumeric, etc...). The top tier WAFs, however, also track if there are multiple occurrences. If an attacker then adds in duplicate parameter names, the WAF would be able to flag this anomaly and take appropriate action.