Imperva Security Response to a Variation of HTTP Parameter Pollution Attack

On Nov. 4th a possible bypass to the Imperva SecureSphere WAF was disclosed via email on public message board SECLISTS.ORG that describes a variation of the HTTP Parameter Pollution attack that can by pass Imperva SecureSphere Web Application Firewall and Incapsula WAF.

Background
The general concept of an HTTP parameter pollution attack has been documented in web application security research since 2009. At a high level, the attack works by sending multiple HTTP parameters with the same name to an application, causing the application to produce erratic behavior. This erratic behavior by itself is not a vulnerability but an attacker may use this behavior to bypass input validation, trigger application errors, or modify internal variable values.

Imperva SecureSphere Web Application Firewall (WAF) can detect HTTP parameter pollution attacks, and customers can choose to either alert or block sessions that attempt to pass multiple HTTP parameters with the same name. Imperva Incapsula WAF detects and handles HTTP Parameter Pollution attacks out of the box, no special configuration is required from the customer side.

However, the specific HTTP parameter pollution bypass attack published on SECLIST.ORG describes a special case of this attack utilizing null characters (‘%00’) to create the appearance of two different HTTP parameter values. In this special case, the SecureSphere and Incapsula WAF treat the two parameters with the same name as if they had different names, thereby allowing the parameters to be passed through to the application with the potential to generate parameter pollution attacks.

Implications

Impact to Imperva SecureSphere WAF Customers:
Low. This attack can only be manifested on a small number of web server applications that treat these parameters as combined, such as IIS ASP web applications, and not IIS ASP.NET or Apache-based web servers. Further, the impact of this exploit technique can be fully mitigated in changing Imperva SecureSphere WAF default rules for Null parameters from alert to block.

Impact to Imperva Incapsula Customers:
None. Immediately after the publication Incapsula has rolled out a set of rules that automatically block this special use of the HTTP parameter pollution bypass. Any attempt to use this type of attack will be blocked out of the box, no special configuration is required from the customer side.

Protecting Applications:
The suggested immediate mitigation for SecureSphere WAF customers protecting IIS ASP applications is to utilize existing built-in SecureSphere WAF policy - “null character in parameter name” that is currently set to ALERT. Customers should review the alerts generated by this policy and check for any false positives (applications that use parameter names that contain NULL).  If such applications are found, an exception to the web protocol policy should be added. Switch SecureSphere WAF rule “null character in parameter name” from alert to BLOCK.

References
Testing for HTTP Parameter pollution (OTG-INPVAL-004)
Bypass Imperva by confusing HTTP Pollution Normalization Engine

Contact Support
Customers should contact Imperva support (support@imperva.com) for assistance in implementing and configuring changes to Imperva WAF policy.