WebApp Sec mailing list archives

Re: Canonicalization

From: Jason <security () brvenik com>
Date: Thu, 13 Apr 2006 10:33:58 -0400

Check out the research done by Sourcefire for the Snort project for some
tools and discussion that I think you will find helpful.

http://www.sourcefire.com/products/library.html#wp

- No registration required:
http://docs.idsresearch.org/http_ids_evasions.pdf

and HTTP Chameleon

http://code.idsresearch.org/SetupHttpChameleon.zip

or for *nix systems

http://code.idsresearch.org/encoder.c



susam_pal () yahoo co in wrote:

I am writing some examples. Please tell me if these are the examples of Canonicalization.

1. When an web application gets parameters from a GET request or POST request, and if that parameter is going to be 
used as a part of an SQL query, then the programmer must take care to convert the single-quote (') to two 
single-quotes('') for Oracle Database in order to prevent SQL injection. Is this canonicalization?

2. Take a guestbook of a site. The feedback given is going to appear back in the web-page. Here we need to take care 
that things like "<font>" should be converted to "&gt;font&lt;" before it appears on the page. Is this a case of 
canonicalization?

-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

Re: Canonicalization, (continued)
- - Re: Canonicalization Rossen Raykov (Apr 20)
    - Re: Canonicalization Peter Conrad (Apr 21)
    - Re: Canonicalization exon (Apr 21)
    - Re: Canonicalization Jason Murray (Apr 23)
    - Re: Canonicalization exon (Apr 24)
    - Re: Canonicalization Eoin (Apr 21)
    - Re: Canonicalization Andrew van der Stock (Apr 22)
- Re: RE: Canonicalization jovan . burd (Apr 13)
- Re: Re: Canonicalization susam_pal (Apr 13)
  - Re: Canonicalization Rogan Dawes (Apr 14)
  - Re: Canonicalization Jason (Apr 14)
  - Re: Re: Canonicalization Mariusz Pękala (Apr 14)
    - Re: Re: Canonicalization Peter Conrad (Apr 18)