WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Is URL encoding required.

From: "Sharma, Amit" <asharma5 () lehman com>
Date: Mon, 27 Nov 2006 20:04:22 -0500

Hi,

I have a generic web application HTTP question that came out of my
experiments with webscarab
If I have a GET request containing non alphanumeric characters like '&'
then are we supposed to always URL encode them before sending it to the
web server?
And is it always guaranteed that the server will url decode it prior to
consuming the url.


My understanding was that you always have to url encode. However, I was
playing with webscarab and saw a few raw GET requests to web of the
form:
http://example.com/abc=123&def=456&xyz
Shouldn't they go the server as
http://example.com/abc=123%26def=456%26xyz

Or it is just that webscarab is decoding it for me.

Thanks very much,
Amit






- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This message is intended only for the personal and confidential use of the designated recipient(s) named above.  If you 
are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or 
copying of this message is strictly prohibited.  This communication is for information purposes only and should not be 
regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of 
any transaction, or as an official statement of Lehman Brothers.  Email transmission cannot be guaranteed to be secure 
or error-free.  Therefore, we do not represent that this information is complete or accurate and it should not be 
relied upon as such.  All information is subject to change without notice.

--------
IRS Circular 230 Disclosure:
Please be advised that any discussion of U.S. tax matters contained within this communication (including any 
attachments) is not intended or written to be used and cannot be used for the purpose of (i) avoiding U.S. tax related 
penalties or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan 7.0 is the market-share leading web application s
ecurity scanner and is trusted by more security professionals to provide
the visibility and control required to address this critical challenge.
See for yourself. Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: