RE: Canonicalization

[<PPowenski () oag com>]

my understanding of this is
if the input arrives as any kind of metacharacter \0x32 for an ascii
space it must be converted to a space 
before the parser looks at it.

-----Original Message-----
From: susam_pal () yahoo co in [mailto:susam_pal () yahoo co in] 
Sent: 11 April 2006 14:12
To: webappsec () securityfocus com
Subject: Canonicalization


I found the following paragraph in owasp.org. Can someone please
elaborate on this?

Parameters must be converted to the simplest form before they are
validated, otherwise, malicious input can be masked and it can slip past
filters. The process of simplifying these encodings is called
"canonicalization."

------------------------------------------------------------------------
-
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--
This e-mail is intended for the named recipient(s).  It and any attachments may contain privileged and/or confidential 
information. They may not be disclosed to or used by or copied in any way by anyone other than the intended recipient.  
If you are not one of the intended recipients, or this email is received in error, please immediately either notify the 
sender or contact OAG Worldwide Limited on +44 (0) 1582 600111 quoting the name of the sender and the email address to 
which it has been sent and then delete it and any attachment(s). 
While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Limited and its 
affiliate companies cannot guarantee that attachments do not contain any viruses or are compatible with your systems, 
and does not accept liability in respect of viruses or computer problems experienced. Neither OAG Worldwide Limited nor 
the sender accepts any responsibility for viruses and it is your responsibility to scan or otherwise check this email 
and any attachments.  
OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to secure effective system operation and for 
other lawful purposes.  By replying to this email you give your consent to such monitoring. 
Thank you.
OAG Worldwide Limited is a company registered in England and Wales (registered number 4226716), with its registered 
office at Church Street, Dunstable, Bedfordshire, LU5 4HB, United Kingdom.


-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------