Re: Extended ASCII characters used for injection

[Mostafa Siraj <mostafa.siraj () gmail com>]

Blacklisting (blocking some characters and allowing everything else)
is known to be a bad practice, I would recommend allowing a whitelist
characters instead

On 10/19/10, Nibbler <enibbler () gmail com> wrote:
> Hi list,
>
> I have a web app and I want to block special characters in URL on the
> web server. Do you know if there is a risk of injection (XSS...) with
> extended ASCII char (%7f-%ff)?
> Is there any reason to block these characters?
>
> Thanks
> Regards,
> Nib
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------


-- 
Best Regards,
Mostafa Siraj <http://twitter.com/mostafasiraj>

"Our deepest fear is not that we are inadequate. Our deepest fear is that we
are powerful beyond measure. It is our light, not our darkness, that most
frightens us. We ask ourselves, who am I to be brilliant, gorgeous,
talented, and fabulous?Actually, who are you not to be? You are a child of
God. Your playing small doesn't serve the world. There's nothing enlightened
about shrinking so that other people won't feel insecure around you. We are
all meant to shine, as children do. We are born to make manifest the glory
of God that is within us. It's not just in some of us, it's in everyone. And
as we let our own light shine, we unconsciously give other people permission
to do the same. As we are liberated from our own fear, our presence
automatically liberates others." --Nelson Mandela--



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------