WebApp Sec mailing list archives
.com. filter bypass
From: RSnake <rsnake () shocking com>
Date: Wed, 18 Aug 2004 12:05:39 -0700 (PDT)
I know this is pretty trivial, but I haven't seen anyone write anything about this. I'm not sure how useful it really is as an attack vector, but: "http://www.google.com./" is a valid url in browsers (with the dot at the end). It seems like it might be used to circumvent some pattern matching filters in use with CGIs. Something like: #!/usr/bin/perl print "Content-Type: text/html\n\n"; $domain_query = $ENV{QUERY_STRING} # $domain_query is "www.google.com." if ($domain_query !~ m/^www\.google\.com$/){ #execute something you normally wouldn't allow for www.google.com } else { print "Sorry!\n"; } Where the URL in this case actually is google.com when rendered. I tested this with IE on XP Pro and lynx on XP Pro cygwin and on FBSD. As a side note, nslookup and traceroute both ignored the trailing period, which actually is okay behavior, but also makes them candidates if this sort of check is performed before they are run with a system call.... Yup, as I said, pretty trivial. -R The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is expressly prohibited and may be unlawful.
Current thread:
- .com. filter bypass RSnake (Aug 19)
- Re: .com. filter bypass Martin Mačok (Aug 20)
- Re: .com. filter bypass Chris Ess (Aug 20)
- Re: .com. filter bypass Nigel Stepp (Aug 20)