WebApp Sec mailing list archives

Re: Canonicalization

From: Rogan Dawes <rogan () dawes za net>
Date: Wed, 12 Apr 2006 14:55:34 +0200

Yann wrote:

11 Apr 2006 13:12:29 -0000, susam_pal () yahoo co in <susam_pal () yahoo co in>:

I found the following paragraph in owasp.org. Can someone please elaborate on this?

Parameters must be converted to the simplest form before they are validated,
otherwise, malicious input can be masked and it can slip past filters. The process of
simplifying these encodings is called "canonicalization."


There is a (very short) article on Wikipedia, to begin with:
http://en.wikipedia.org/wiki/Canonicalization

There is an example, not directly related to security.

Yann
--

Here is an example of why canonicalization is important in a securitycontext:

The rule is "Only execute files under the cgi directory(C:\inetpub\wwwroot\cgi-bin)"

The rule is enforced by checking that the path starts with"C:\inetpub\wwwroot\cgi-bin\", and if it does, the file is executed.


Should I execute the following file?

C:\inetpub\wwwroot\cgi-bin\..\..\..\Windows\System32\cmd.exe

?

Clearly not. The fault is failure to canonicalize the filename to aunique (simplest) representation, namely: C:\Windows\System32\cmd.exe,before doing the path check.

Another example might be to convert Unicode-encoded strings to thesimplest form possible. Since Unicode allows for an infinite number ofways of representing the same character, you should always reduce thestring to the simplest possible form before doing any comparisons.


Hope this helps.

Regards,

Rogan

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!"Step-by-Step - SPI Dynamics White PaperLearn how to defend against Web Application Attacks with real-worldexamples of recent hacking methods such as: SQL Injection, Cross SiteScripting and Parameter Manipulation


https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Canonicalization susam_pal (Apr 12)
- Re: Canonicalization Yann (Apr 12)
  - Re: Canonicalization Rogan Dawes (Apr 12)
- <Possible follow-ups>
- RE: Canonicalization PPowenski (Apr 12)
- Re: Canonicalization Andrew van der Stock (Apr 12)
  - Re: Canonicalization Rossen Raykov (Apr 20)
    - Re: Canonicalization Peter Conrad (Apr 21)
    - Re: Canonicalization exon (Apr 21)
    - Re: Canonicalization Jason Murray (Apr 23)
    - Re: Canonicalization exon (Apr 24)
    - Re: Canonicalization Eoin (Apr 21)
    - Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: RE: Canonicalization jovan . burd (Apr 13)

(Thread continues...)