WebApp Sec mailing list archives
Re: Canonicalization
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 13 Apr 2006 14:17:45 +0200
susam_pal () yahoo co in wrote:
I am writing some examples. Please tell me if these are the examples of Canonicalization. 1. When an web application gets parameters from a GET request or POST request, and if that parameter is going to be used as a part of an SQL query, then the programmer must take care to convert the single-quote (') to two single-quotes('') for Oracle Database in order to prevent SQL injection. Is this canonicalization? 2. Take a guestbook of a site. The feedback given is going to appear back in the web-page. Here we need to take care that things like "<font>" should be converted to ">font<" before it appears on the page. Is this a case of canonicalization?
No. Neither of those are examples of canonicalization. Both would probably be called meta-character escaping, or something similar. In example 1, the quote is a metacharacter that would be treated as special by the SQL parser, and in example 2, the angle brackets < and > are metacharacters that would be treated as special by the HTML parser.
As I previously explained, examples of canonicalization are converting filenames or strings to their simplest possible representation:
c:\inetpub\wwwroot\cgi-bin\..\..\..\Windows\System32\cmd.exe becomes c:\Windows\System32\cmd.exe through a process of filesystem path canonicalization. and http://victim.example.org/..%c0%af..%c0%af..%c0%af..%c0%afWindows%c0%afSystem32%c0%afcmd.exe becomes http://victim.example.org/../../../Windows/System32.cmd.exe through a process of unicode canonicalization. Hope this helps. Rogan ------------------------------------------------------------------------- This List Sponsored by: SPI DynamicsALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: Canonicalization, (continued)
- Re: Canonicalization Andrew van der Stock (Apr 12)
- Re: Canonicalization Rossen Raykov (Apr 20)
- Re: Canonicalization Peter Conrad (Apr 21)
- Re: Canonicalization exon (Apr 21)
- Re: Canonicalization Jason Murray (Apr 23)
- Re: Canonicalization exon (Apr 24)
- Re: Canonicalization Rossen Raykov (Apr 20)
- Re: Canonicalization Andrew van der Stock (Apr 12)
- Re: Canonicalization Eoin (Apr 21)
- Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: Canonicalization Rogan Dawes (Apr 14)
- Re: Canonicalization Jason (Apr 14)
- Re: Re: Canonicalization Mariusz Pękala (Apr 14)
- Re: Re: Canonicalization Peter Conrad (Apr 18)