Yann wrote:
> 11 Apr 2006 13:12:29 -0000, susam_pal_at_yahoo.co.in <susam_pal_at_yahoo.co.in>:
>> I found the following paragraph in owasp.org. Can someone please elaborate on this?
>>
>> Parameters must be converted to the simplest form before they are validated,
>> otherwise, malicious input can be masked and it can slip past filters. The process of
>> simplifying these encodings is called "canonicalization."
>
> There is a (very short) article on Wikipedia, to begin with:
> http://en.wikipedia.org/wiki/Canonicalization
>
> There is an example, not directly related to security.
>
> Yann
> --
Here is an example of why canonicalization is important in a security
context:
The rule is "Only execute files under the cgi directory
(C:\inetpub\wwwroot\cgi-bin)"
The rule is enforced by checking that the path starts with
"C:\inetpub\wwwroot\cgi-bin\", and if it does, the file is executed.
Should I execute the following file?
C:\inetpub\wwwroot\cgi-bin\..\..\..\Windows\System32\cmd.exe
?
Clearly not. The fault is failure to canonicalize the filename to a
unique (simplest) representation, namely: C:\Windows\System32\cmd.exe,
before doing the path check.
Another example might be to convert Unicode-encoded strings to the
simplest form possible. Since Unicode allows for an infinite number of
ways of representing the same character, you should always reduce the
string to the simplest possible form before doing any comparisons.
Hope this helps.
Regards,
Rogan
-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Apr 12 2006
Intro
