WebApp Sec mailing list archives
Is URL encoding required.
From: "Sharma, Amit" <asharma5 () lehman com>
Date: Mon, 27 Nov 2006 20:04:22 -0500
Hi, I have a generic web application HTTP question that came out of my experiments with webscarab If I have a GET request containing non alphanumeric characters like '&' then are we supposed to always URL encode them before sending it to the web server? And is it always guaranteed that the server will url decode it prior to consuming the url. My understanding was that you always have to url encode. However, I was playing with webscarab and saw a few raw GET requests to web of the form: http://example.com/abc=123&def=456&xyz Shouldn't they go the server as http://example.com/abc=123%26def=456%26xyz Or it is just that webscarab is decoding it for me. Thanks very much, Amit - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Lehman Brothers. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. -------- IRS Circular 230 Disclosure: Please be advised that any discussion of U.S. tax matters contained within this communication (including any attachments) is not intended or written to be used and cannot be used for the purpose of (i) avoiding U.S. tax related penalties or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan 7.0 is the market-share leading web application s ecurity scanner and is trusted by more security professionals to provide the visibility and control required to address this critical challenge. See for yourself. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ --------------------------------------------------------------------------
Current thread:
- Is URL encoding required. Sharma, Amit (Nov 27)