December 28, 2009

HTTP Parameter Fragmentation (HPF) is one of the methods to bypass security filters in web applications

The idea to use HTTP Parameter Fragmentation (HPF) when calling a web application for the purpose of bypassing security filters (particularly, WAFs) is not a new one. According to one of the participants of WASC Mailing List, this technique can be occasionally found among exploits published at the site However, application of this method allows one to successfully bypass filters used in most modern WAFs (particularly, a productive one - mod_security). So, what is the essence of this technique? Let us consider it by examples of SQL Injection exploitation.

It is often necessary to have two or more user parameters in one SQL query, for example:

At the stage of verifying the parameter values received from the user on the level of web application, the application is capable of operating with variables of web server only and WAF (depending on the mode) is capable of operating directly with raw HTTP data. However, regardless of the method of accessing data, it comes to using certain regular expressions (regexps) for each separate parameter. I.e.:

Thus, if one divides the logic of the SQL query among several parameters that enter this SQL query and then concatenates these pieces using comments, it will become possible to bypass the described filters:


Here, regexps will not work:

SQL queries become:

Since comments are ignored, the queries in fact are:

select * from table where a=1 union select 1,2
select * from table where a=1 union select 1,pass from users

One can notice that considering the attack vector, HPF is very similar to HPP (HTTP Parameter Pollution), but in contrast to the latter one, the HPP implementation is aimed at exploitation of vulnerability in the web application, not in the application environment. Of course, both attack methods can supplement each other.
For example, combination of two techniques can be used if SQL code is sequentially injected into two SQL queries:

Let us assume that output is displayed only if both queries don’t return a DB error. Then it becomes possible to combine HPP and HPF methods and use “union” instead of

Blind SQL Injection. Here is an example:


SQL queries will take on a correct form:

select id,user,email from table where a=1 union select 1,2,3
select id,user from table where a=1 union select 1,2

OWASP EU09 Luca Carettoni, Stefano diPaola
Lavakumar Kuppan,
WASC Mailing List,
CC09 Dmitry Evteev,
Dmitry Evteev blog,


  1. This comment has been removed by a blog administrator.

  2. This comment has been removed by a blog administrator.