| Home | Submission | Validation | Examples | Resources |
|
|
PAPAS is an automated system that scans web-sites for HTTP Parameter Pollution vulnerabilities. HTTP Parameter Pollution (HPP) represents a new class of problems for web applications. An HPP vulnerability allows an attacker to inject a parameter (and its value) inside the URLs generated by the application. The consequences of the attack depend on the application's logic, and may vary from a simple annoyance to a complete corruption of the application's behavior. PAPAS represents the first and unique system to detect HPP problems in live Internet sites. The system works by crawling your application and probing each page with an intelligent fuzzing mechanisms to discover possible injections in links and forms. PAPAS has been used to conduct a large-scale experiment over 5,000 popular web-sites. Interestingly we discovered that about 30% of them contains HPP vulnerable pages and that top sites are affected as well. In fact, when we contacted them, they acknowledged the problems. Since it seems that HPP is (still) generally under-estimated by web-designers, we decided to set-up this site and to put PAPAS online. Here you can submit your site to PAPAS for being tested. For free. Our automated system will analyze your application and send you a nice HTML formatted report when the scan is completed. With this initiative we hope to raise the awareness and draw attention to the HPP problem. News 15.02.2011 - Note: PAPAS won't scan HTTPS websites with self-signed and invalid SSL/TSL certificates 25.01.2011 - PAPAS has ran without particular problems since two months: the Beta period can now be considered finished :-) 17.12.2010 - This (first of a series) new posts explains PAPAS' architecture and algorithms to efficiently detect HPP flaws. 10.12.2010 - In your PAPAS's report, if you got a "timeout" in accessing the site's homepage, maybe it's the case to re-submit your site. I just fixed a networking bug. 09.12.2010 - Fixed a bug in the token URL's generation routine when a URL with a filename is submitted. 09.12.2010 - If you run into bugs/errors or wanna contact me, I am reachable at papas(at)iseclab(dot)org. 08.12.2010 - I wrote this blog post with some extra information. 05.12.2010 - The PDF that describes our system is now public. 26.11.2010 - PAPAS is now online! |