Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Sverre H. Huseby (shhthathost.com)
Date: Mon Oct 29 2001 - 13:23:21 CST
| Example - An application does not accept HTML as input and wants
| to prevent Cross Site Scripting (See OWASP-IV-CSS-1). If the
| application strips < and >, then no HTML tags will be
| accepted. However the malicious user could uses the URL encoded
| equivilents %3C and %3E to bypass the input filter. HTML aware
| applications often strip out <script> but don't correctly handle
I'm not quite sure I understand this example:
* If a bad guy passes %3C in a URL, the %3C will be mapped
to < by the web server before the string is sent to the web
application. The application won't see the %3C.
* If the user enters %3C in a way that makes the web application
receive it, eg. by sending %253C in a URL, the application will
generate web pages with eg. "%3Cscript%3E" in it, which won't be
interpreted as a script tag by any browser I know of.
The only way this may represent a problem, is if the application first
validates the input (looks for < >), and _then_ performs a URL decode
itself. And why would it do that?
Please correct me if I am wrong.
-- shhthathost.com Play my free Nerd Quiz at http://shh.thathost.com/ http://nerdquiz.thathost.com/