WebApp Sec mailing list archives
Re: Extended ASCII characters used for injection
From: Mostafa Siraj <mostafa.siraj () gmail com>
Date: Tue, 19 Oct 2010 15:56:25 +0200
Blacklisting (blocking some characters and allowing everything else) is known to be a bad practice, I would recommend allowing a whitelist characters instead On 10/19/10, Nibbler <enibbler () gmail com> wrote:
Hi list, I have a web app and I want to block special characters in URL on the web server. Do you know if there is a risk of injection (XSS...) with extended ASCII char (%7f-%ff)? Is there any reason to block these characters? Thanks Regards, Nib This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
-- Best Regards, Mostafa Siraj <http://twitter.com/mostafasiraj> "Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness, that most frightens us. We ask ourselves, who am I to be brilliant, gorgeous, talented, and fabulous?Actually, who are you not to be? You are a child of God. Your playing small doesn't serve the world. There's nothing enlightened about shrinking so that other people won't feel insecure around you. We are all meant to shine, as children do. We are born to make manifest the glory of God that is within us. It's not just in some of us, it's in everyone. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others." --Nelson Mandela-- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Extended ASCII characters used for injection Nibbler (Oct 19)
- Re: Extended ASCII characters used for injection Mostafa Siraj (Oct 19)
- RE: Extended ASCII characters used for injection Onken, Skyler (Oct 19)
- Re: Extended ASCII characters used for injection Simon XanthiX (Oct 19)
- Re: Extended ASCII characters used for injection john s (Oct 19)
- RE: Extended ASCII characters used for injection Chris Weber (Oct 20)
- Re: Extended ASCII characters used for injection Jeff Williams (Oct 20)
- RE: Extended ASCII characters used for injection Linden Darling (Oct 20)
- RE: Extended ASCII characters used for injection Richard M. Smith (Oct 25)
- Re: Extended ASCII characters used for injection john s (Oct 25)
- RE: Extended ASCII characters used for injection Chris Weber (Oct 25)
- Re: Extended ASCII characters used for injection john s (Oct 25)
- Re: Extended ASCII characters used for injection Jeff Williams (Oct 20)