Just a follow-up - the new CRS 2.0.0 has the HPP rule in there.
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Download


Hop on the OWASP CRS mail-list if you would like to discuss :)

--
Ryan C. Barnett
WASC Distributed Open Proxy Honeypot Project Leader
OWASP ModSecurity Core Rule Set Project Leader
Tactical Web Application Security
http://tacticalwebappsec.blogspot.com

On Tuesday 16 June 2009 07:45:05 am christian.folini@post.ch wrote:
> Hey Ryan,
>
> This is a very sexy rule. Will it make it into the new Core Rules?
>
> Regs,
>
> Christian
>
>
> --
> Christian Folini, IT 222
> Webserver Security Engineer
>
>
> -----Ursprüngliche Nachricht-----
> Von: Ryan Barnett [mailto:Ryan.Barnett@breach.com]
> Gesendet: Dienstag, 16. Juni 2009 13:01
> An: 'marc.stern@approach.be'; 'mod-security-users@lists.sourceforge.net'
> Betreff: Re: [mod-security-users] Blocking (partly) HTTP Parameter
> Pollution
>
> Here is the rule to detect if there are multiple parameters submitted that
> have the same name -
>
> SecRule ARGS_NAMES ".*"
> "chain,phase:2,t:none,nolog,pass,capture,setvar:'tx.arg_name_%{tx.0}=+1',ms
>g:'Multiple Parameters with the same Name.'" SecRule TX:/ARG_NAME_*/ "@gt 1"
>
> As you can see, we are simply creating a TX collection using macro
> expansion for the variable name and we are incrementing a counter each time
> we see a parameter. The 2nd part of the chained rule is then evaluating
> the TX collection to see if any of them are greater than 1. Keep in mind
> that this isn't a direct HTTP Parameter Pollution rule per se, as it may in
> fact be legitimate functionality of your app to have multiple parameters
> with the same name. This rule works to alert you to where those
> occurrences are happening. If you find that this is legit functionality,
> you could incorporate an exception into the rule to exclude those specific
> parameter names.
>
>
> Ryan C. Barnett
> Director of Application Security Research Breach Security, Inc.
> Ryan.Barnett@Breach.com <blocked::mailto:Ryan.Barnett@Breach.com>
> www.Breach.com <http://www.breach.com/>
>
> ----- Original Message -----
> From: Marc Stern <marc.stern@approach.be>
> To: mod-security-users@lists.sourceforge.net
> <mod-security-users@lists.sourceforge.net> Sent: Tue Jun 16 05:39:37 2009
> Subject: [mod-security-users] Blocking (partly) HTTP Parameter Pollution
>
> Information about a particular case of HTTP Parameter Pollution - duplicate
> arguments - is described here:
> http://www.securityfocus.com/archive/1/504240/30/0/threaded
>
> Do anyone sees how to find duplicate argument names, without knowing the
> names in advance? The goal is to forbid, for GET & POST, two arguments
> with the same name
>
> I tried to play with chained rules, but I would need recursive macro
> expansion, like "TX:%{TX:...}"
>
> Thanks
>
> Marc
>
> ---------------------------------------------------------------------------
>--- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new
> simplified licensing option that enables unlimited royalty-free
> distribution of the report engine for externally facing server and web
> deployment. http://p.sf.net/sfu/businessobjects
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html
> ---------------------------------------------------------------------------
>--- Crystal Reports - New Free Runtime and 30 Day Trial Check out the new
> simplified licensing option that enables unlimited royalty-free
> distribution of the report engine for externally facing server and web
> deployment. http://p.sf.net/sfu/businessobjects
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html