Re: regarding URL Encoding based attacks

[Mayank Bhatnagar <mayank () ncb ernet in>]

hi Alex,

A lot of thanks for replying. By an HTTP protocol engine I was referring
to a piece of code that actually understands HTTP, decodes into various 
structures and then could be tested through various security checks. One 
of this includes URL encoding based attacks. Extraction means out of 
complete HTTP payload, extraction of URL part.....

Well, I have really gone about searching for some good amount of time and 
trials/experirments in using code/routines. You are right in saying that 
various routines and codes are available but most of these codes are 
either just code (not understandable) or using native APIs, extensions 
which may not be plugged currently in our software. Thats why I had 
specifically mentioned abt  (C/C++)....so its like a library exisitng 
through which I can parse URLs, decode various encoding schemes being used 
and perform security checks.....

I have actually tried libcurl, libwww, but these come with client side 
APIs, through which we can frame URLs, Perl modules at CPAN provides 
URI::URL module which I am currently exploring.....

so if you have some idea on the above, I would be eagerly looking for your 
mail....

thanks Alex,
thanks list

regds,
Mayank



On Mon, 1 Nov 2004, Alex Russell wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tuesday 26 October 2004 12:06 am, Mayank Bhatnagar wrote:
> > I am working towards URL Encoding and Decoding based attacks. A
> > nice paper could be read from here...
> >
> > http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html
>
> Agreed. Gunter appears to cover most of the bases here. Nice to see a 
> treatment that includes IPv6.
>
> > To carry out on ths work, I have implemented a HTTP protocol engine
> > and I am able to extract a complete URL string. This I am doing
> > using C++/Unix environment.
>
> What does that mean? What does "extract" mean? And how is this 
> different from any other regexp that matches URI schemes (of which 
> there are many of varying quality)? What are you extracting from? 
> HTTP headers?
>
> > Now my question is, I would like to know if there are some
> > libraries exisiting using which I can decode the captured URLs. I
> > wish to use the library (preferably in C/C++) and then proceed to
> > find the attack patterns in them.
>
> Here's where you're starting to get on my nerves. A quick google 
> search turns up TONS of urldecoding/encoding routines (again, of 
> varying quality). I've you've already searched through these, please 
> mention which you've looked at before requesting blankly that the 
> members of this list do the most basic research imagineable for you.
>
> > Can any one provide some links/references....
>
> http://www.google.com
> http://groups.google.com
>
> - -- 
> Alex Russell
> alex () dojotoolkit org
> alex () netWindows org F687 1964 1EF6 453E 9BD0 5148 A15D 1D43 AB92 9A46
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFBhoNioV0dQ6uSmkYRAv1lAJwIGVy2ODJF8CFL2FHqA8cbB2mTpwCfaKm0
> qmymficDh7DX2xtdPm4YPPs=
> =5Lqc
> -----END PGP SIGNATURE-----