|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Canonicalization
From: Rogan Dawes (discard
dawes.za.net)
Date: Thu Apr 13 2006 - 07:17:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
susam_palyahoo.co.in wrote:
> I am writing some examples. Please tell me if these are the examples
> of Canonicalization.
>
> 1. When an web application gets parameters from a GET request or POST
> request, and if that parameter is going to be used as a part of an
> SQL query, then the programmer must take care to convert the
> single-quote (') to two single-quotes('') for Oracle Database in
> order to prevent SQL injection. Is this canonicalization?
>
> 2. Take a guestbook of a site. The feedback given is going to appear
> back in the web-page. Here we need to take care that things like
> "<font>" should be converted to ">font<" before it appears on
> the page. Is this a case of canonicalization?
>
No. Neither of those are examples of canonicalization. Both would
probably be called meta-character escaping, or something similar. In
example 1, the quote is a metacharacter that would be treated as special
by the SQL parser, and in example 2, the angle brackets < and > are
metacharacters that would be treated as special by the HTML parser.
As I previously explained, examples of canonicalization are converting
filenames or strings to their simplest possible representation:
c:\inetpub\wwwroot\cgi-bin\..\..\..\Windows\System32\cmd.exe
becomes
c:\Windows\System32\cmd.exe
through a process of filesystem path canonicalization.
and
http://victim.example.org/..%c0%af..%c0%af..%c0%af..%c0%afWindows%c0%afSystem32%c0%afcmd.exe
becomes
http://victim.example.org/../../../Windows/System32.cmd.exe
through a process of unicode canonicalization.
Hope this helps.
Rogan
-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]