WebApp Sec mailing list archives

Re: Canonicalization

From: Rogan Dawes <discard () dawes za net>
Date: Thu, 13 Apr 2006 14:17:45 +0200

susam_pal () yahoo co in wrote:

I am writing some examples. Please tell me if these are the examples
of Canonicalization.

1. When an web application gets parameters from a GET request or POST
request, and if that parameter is going to be used as a part of an
SQL query, then the programmer must take care to convert the
single-quote (') to two single-quotes('') for Oracle Database in
order to prevent SQL injection. Is this canonicalization?

2. Take a guestbook of a site. The feedback given is going to appear
back in the web-page. Here we need to take care that things like
"<font>" should be converted to "&gt;font&lt;" before it appears on
the page. Is this a case of canonicalization?

No. Neither of those are examples of canonicalization. Both wouldprobably be called meta-character escaping, or something similar. Inexample 1, the quote is a metacharacter that would be treated as specialby the SQL parser, and in example 2, the angle brackets < and > aremetacharacters that would be treated as special by the HTML parser.

As I previously explained, examples of canonicalization are convertingfilenames or strings to their simplest possible representation:


c:\inetpub\wwwroot\cgi-bin\..\..\..\Windows\System32\cmd.exe

becomes

c:\Windows\System32\cmd.exe

through a process of filesystem path canonicalization.

and

http://victim.example.org/..%c0%af..%c0%af..%c0%af..%c0%afWindows%c0%afSystem32%c0%afcmd.exe

becomes

http://victim.example.org/../../../Windows/System32.cmd.exe

through a process of unicode canonicalization.

Hope this helps.

Rogan

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!"Step-by-Step - SPI Dynamics White PaperLearn how to defend against Web Application Attacks with real-worldexamples of recent hacking methods such as: SQL Injection, Cross SiteScripting and Parameter Manipulation


https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Re: Canonicalization, (continued)
- Re: Canonicalization Andrew van der Stock (Apr 12)
  - Re: Canonicalization Rossen Raykov (Apr 20)
    - Re: Canonicalization Peter Conrad (Apr 21)
    - Re: Canonicalization exon (Apr 21)
    - Re: Canonicalization Jason Murray (Apr 23)
    - Re: Canonicalization exon (Apr 24)
    - Re: Canonicalization Eoin (Apr 21)
    - Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: RE: Canonicalization jovan . burd (Apr 13)
- Re: Re: Canonicalization susam_pal (Apr 13)
  - Re: Canonicalization Rogan Dawes (Apr 14)
  - Re: Canonicalization Jason (Apr 14)
  - Re: Re: Canonicalization Mariusz Pękala (Apr 14)
    - Re: Re: Canonicalization Peter Conrad (Apr 18)