A word of advice for anyone taking this on. I recall having seen a variety of obfuscation attacks that depended on variable interpretation of escaped characters.
It might be best to ensure that the interpretation of the parser, and not the original request itself, are what is sent to the backend server. If some of the characters are best escaped send them that way, but send them as interpreted, not as received :)
-JohnF
Hi all,
I've just remembered this mail which was poster 1 month ago :
Le lundi 23 août 2010 13:59:34, Łukasz Jagiełło a écrit :
> Hi,
>
> I'm wonder is there any solution for regex non-ascii characters in
> URLs ? For example want to block url like this:
>
> http://some.domain.com/server-info
>
> Got ACL:
>
> acl status url_reg \/server-(status|info)(.*)?
>
> ,but if someone wrote url like this:
>
> http://some.domain.com/%73%65%72%76%65%72%2D%69%6E%66%6F
>
> ACL won't get it. I could change acl like this:
>
> acl status url_reg
> \/(server|\%73\%65\%72\%76\%65\%72)(-|\%2D)(status|info|\%69\%6E\%66\%6F|\%
> 73\%74\%61\%74\%75\%73)(.*)?
>
> But still someone can wrote:
>
> http://some.domain.com/s%65%72%76%65%72%2D%69%6E%66%6F
>
> and will get server status. Is it possible to transform url to ASCII ?
If no one is working on a solution yet, I propose to develop one when I get time, as this can be a security hole for rules used to protect some urls.
Let me know ;-)
--
Cyril Bonté
Received on 2010/09/26 19:47
This archive was generated by hypermail 2.2.0 : 2010/09/26 20:00 CEST