Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Canonicalization

Re: Canonicalization

From: exon <exon_at_home.se>
Date: Mon, 24 Apr 2006 11:08:29 +0200

Jason Murray wrote:
>
>
> exon wrote:
>
>> Peter Conrad wrote:
>>
>>> Hi,
>>>
>>> On Thu, Apr 20, 2006 at 10:22:18PM -0400, Rossen Raykov wrote:
>>>
>>>> Is that ?simplest form? achievable? One can perform many and
>>>> different encodings making the task of decoding them very difficult
>>>> and resource consuming. Usually it is cheaper and safeties to do
>>>> semantic checkup and treat the input as erroneous if it does not
>>>> confirm to the expected input format.
>>>
>>>
>>>
>>>
>>> you're comparing apples with oranges here. You must perform
>>> canonicalization
>>> *before* you can match the input against the expected format.
>>>
>>>
>>>> For example if you are expecting number anything different than a
>>>> number is error.
>>>
>>>
>>>
>>>
>>> Here are some different representations of the same number:
>>>
>>> 11
>>> +11
>>> 11.0
>>> 11.00
>>> 011
>>>
>>
>>
>> This is just stupid. If the user is supposed to input an unsigned
>> numeric integer it's just dumb to accept dots, plusses, commas and any
>> other char than what fits in 0-9. Leading zeros can be stripped,
>> although if the application itself never adds them you shouldn't allow
>> that either. Even if you accept negative numbers or floating point
>> numbers there's still a very limited range of characters to accept.
>
>
> Alright then with 11.00 you strip the "." and are left with 1100. But
> that is clearly not what the user intended. They intended 11. You need
> to canonicalize to a normalized form before you can then reject for
> innapproptiate values.
>

Disallow, not strip. Stripping unallowed chars before validating is
exactly the kind of dwimmery that cause bugs with input that *looks*
valid but really isn't.

/exon

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Apr 24 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos