The objective in finding canonicalization issues is to identify places where an attacker can supply data and where the application makes certain decisions based on those values. Use different encodings, delimiters, characters , and so forth in an attempt to cause the data to be interpreted incorrectly when making a security decision. Refer to Chapters 6, 10, and 12.
Sample Test Cases | |
---|---|
Test Case | Description |
41 | Hexadecimal encoding of a character ( 41 A). |
C1 81 | Overlong UTF-8 encoding of a character ( C1 81 A). |
2541 | Double encoding of a character ( 25 ). |
gt 65 | HTML encoding of a character ( gt 65 A). |
x41 | HTML hex encoding of a character ( x41 A). |
0065 | HTML encoding of a character using padding ( 0065 A). |
<input type=text value="" style= "left:expressio?( document.bgColor='black')" > | The ? is the Latin capital N U FF2E, which IE will best fit the map into scriptable code. |
C: folder .. secret . password.txt | Directory traversal. |
C: folder/secret.txt | Using a forward slash (/) instead of a backslash ( ). |
Root or /Root | Using a leading forward slash (/) or backslash ( ) to access the root. |
http://server/folder u002Ffile.txt | Using UCS-2 encoding of a character ( u002F /). |
. C: windows notepad.exe ? C: windows notepad.exe machine C windows notepad.exe ip C windows notepad.exe localhost C windows notepad.exe 127.0.0.1 C windows notepad.exe | Different ways to represent a local file. |
windir notepad.exe | Using environment variables to represent a path . |
C: windows notepad.exe. | Trailing period can still access a file. |
C: windows notepad( space ) | Trailing space can still represent a file. |
C: Progra 1 longfi 1.txt | Short version of the long filename for C: Program Files longfilename.txt. |
file.txt: data file.txt:: data file.txt:: default | Using alternative NTFS file system file streams. |
http://3232235521 | Use the decimal form of an IP address to create a dotless address that can be used to trick some applications that attempt to detect zones, such as Internet versus intranet. |