From 33cf9fa2d2c95b7e06655e3be5cf2fbb4f52d601 Mon Sep 17 00:00:00 2001 From: pang9979 <86699842+pang9979@users.noreply.github.com> Date: Wed, 28 Jul 2021 19:15:45 +0800 Subject: [PATCH 1/2] Add one technology to the table --- HTTP Parameter Pollution/README.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/HTTP Parameter Pollution/README.md b/HTTP Parameter Pollution/README.md index 23c5057..8192797 100644 --- a/HTTP Parameter Pollution/README.md +++ b/HTTP Parameter Pollution/README.md @@ -24,22 +24,22 @@ Attacker -- http://example.com?search=Beth&search=' OR 1=1;## --> WAF (reads fir ### Table of refence for which technology reads which parameter When ?par1=a&par1=b -| Technology | Parsing Result |outcome (par1=)| -| ------------------ |--------------- |:-------------:| -| ASP.NET/IIS |All occurrences |a,b | -| ASP/IIS |All occurrences |a,b | -| PHP/Apache |Last occurrence |b | -| PHP/Zues |Last occurrence |b | -| JSP,Servlet/Tomcat |First occurrence |a | -| Perl CGI/Apache |First occurrence |a | -| Python Flask |First occurrence |a | -| Python Django |Last occurrence |b | -| Nodejs |All occurrences |a,b | -| Golang net/http - `r.URL.Query().Get("param")` |First occurrence |a | -| Golang net/http - `r.URL.Query()["param"]` |All occurrences |a,b | - +| Technology | Parsing Result |outcome (par1=)| +| ------------------ |--------------- |:-------------:| +| ASP.NET/IIS |All occurrences |a,b | +| ASP/IIS |All occurrences |a,b | +| PHP/Apache |Last occurrence |b | +| PHP/Zues |Last occurrence |b | +| JSP,Servlet/Tomcat |First occurrence |a | +| Perl CGI/Apache |First occurrence |a | +| Python Flask |First occurrence |a | +| Python Django |Last occurrence |b | +| Nodejs |All occurrences |a,b | +| Golang net/http - `r.URL.Query().Get("param")` |First occurrence |a | +| Golang net/http - `r.URL.Query()["param"]` |All occurrences |a,b | +| Python/Zope |All occurences in array |['a','b'] | ## References - [HTTP Parameter Pollution - Imperva](https://www.imperva.com/learn/application-security/http-parameter-pollution/) - [HTTP Parameter Pollution in 11 minutes | Web Hacking - PwnFunction](https://www.youtube.com/watch?v=QVZBl8yxVX0&ab_channel=PwnFunction) -- [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/) \ No newline at end of file +- [How to Detect HTTP Parameter Pollution Attacks - Acunetix](https://www.acunetix.com/blog/whitepaper-http-parameter-pollution/) From 7cb359644a15b5de58f8f24edb98ec81eb768889 Mon Sep 17 00:00:00 2001 From: pang9979 <86699842+pang9979@users.noreply.github.com> Date: Fri, 30 Jul 2021 13:34:02 +0800 Subject: [PATCH 2/2] Update table --- HTTP Parameter Pollution/README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/HTTP Parameter Pollution/README.md b/HTTP Parameter Pollution/README.md index 8192797..d1e3cee 100644 --- a/HTTP Parameter Pollution/README.md +++ b/HTTP Parameter Pollution/README.md @@ -37,6 +37,10 @@ When ?par1=a&par1=b | Nodejs |All occurrences |a,b | | Golang net/http - `r.URL.Query().Get("param")` |First occurrence |a | | Golang net/http - `r.URL.Query()["param"]` |All occurrences |a,b | +| IBM Lotus Domino |First occurrence |a | +| IBM HTTP Server |First occurrence |a | +| Perl CGI/Apache |First occurrence |a | +| mod_wsgi (Python)/Apache |First occurrence |a | | Python/Zope |All occurences in array |['a','b'] | ## References