Hello to all.
I do not know if this is just a problem for my current project, but we are facing a HTTP pollution problem with the native category and tag facet.
Liferay uses multiple parameter replications on his native search facets, as showed below with the category facet:
https://<hostname>/search?q=retirement&category=42152&category=42158
The problem is that the client’s WAF blocks all parameter replication, using OWASP best practices triggering the HTTP Parameter Pollution (HPP) vulnerability:
- ID WSTG-INPV-04 (https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/… )
After presenting this findings to support, I’ve got an answer from the product team that the behaviour reported is not a security vulnerability but the expected one and that the search functionality has been working the same way since 7.1 and none has been reported/found since then.
Does anyone had this same issue?
Is it the WAF being excessively cautious?
Thank you.
tl;dr: Yes, it is. Disable that protection for Liferay. HTTP Parameter pollution MAY be a problem for some applications, but it really depends on the application at hand. A lot of frameworks simply don't care at all. WAFs try to block as many possible attack vectors as possible to protect all kinds of applications and frameworks. An attack might be dangerous if you use an Apache (till some patchlevel) or PHP or ... but completely harmless in all other cases. But the the WAF doesn't know what you use. So, if possible, it blocks the attack vector. You always need to tune a WAF for your setup
– Christoph_Rabel