The main methodology in testing for canonicalization issues is to determine whether your application is making security decisions based on a name of a resource, and then try to trick the parser by using other variations of that same name . Here are the basic steps to follow when looking for canonicalization issues:
Identify places where your application uses data to make security decisions or presents the user with data to make a security decision.
Try alternate representations of data to see whether you can bypass the check, such as using a forward slash instead of a backslash or tabs instead of spaces.
Use different encodings, which are discussed later in this chapter, to attempt to trick the parser.