WebApp Sec mailing list archives
RE: Canonicalization
From: <PPowenski () oag com>
Date: Wed, 12 Apr 2006 13:23:48 +0100
my understanding of this is if the input arrives as any kind of metacharacter \0x32 for an ascii space it must be converted to a space before the parser looks at it. -----Original Message----- From: susam_pal () yahoo co in [mailto:susam_pal () yahoo co in] Sent: 11 April 2006 14:12 To: webappsec () securityfocus com Subject: Canonicalization I found the following paragraph in owasp.org. Can someone please elaborate on this? Parameters must be converted to the simplest form before they are validated, otherwise, malicious input can be masked and it can slip past filters. The process of simplifying these encodings is called "canonicalization." ------------------------------------------------------------------------ - This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- This e-mail is intended for the named recipient(s). It and any attachments may contain privileged and/or confidential information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient. If you are not one of the intended recipients, or this email is received in error, please immediately either notify the sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to which it has been sent and then delete it and any attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for other lawful purposes. By replying to this email you give your consent to such monitoring. Thank you. OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom. ------------------------------------------------------------------------- This List Sponsored by: SPI Dynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Canonicalization susam_pal (Apr 12)
- Re: Canonicalization Yann (Apr 12)
- Re: Canonicalization Rogan Dawes (Apr 12)
- <Possible follow-ups>
- RE: Canonicalization PPowenski (Apr 12)
- Re: Canonicalization Andrew van der Stock (Apr 12)
- Re: Canonicalization Rossen Raykov (Apr 20)
- Re: Canonicalization Peter Conrad (Apr 21)
- Re: Canonicalization exon (Apr 21)
- Re: Canonicalization Jason Murray (Apr 23)
- Re: Canonicalization exon (Apr 24)
- Re: Canonicalization Rossen Raykov (Apr 20)
- Re: Canonicalization Yann (Apr 12)
- Re: Canonicalization Eoin (Apr 21)
- Re: Canonicalization Andrew van der Stock (Apr 22)