Testing Tips

When testing for canonicalization issues, it might seem overwhelming for you to attempt all of the different ways to represent data. The following list provides some basic testing tips to help you get started looking for canonicalization issues.

• If your application processes links or URLs that can be specified by an attacker, try different types of protocols to see what the attacker could accomplish.

• If your application installs a protocol handler, try to inject arbitrary command-line arguments.

• If your application processes a filename that is supplied by the user , try using different DOS device names , such as COM1.txt, file.COM1, and so forth.

• When creating files for the application to use, use the CreateFile or CreateFileW API to create illegal filenames that the Windows shell wont allow.

• Use directory traversal techniques to attempt to access files from locations you shouldnt be able to access.

• Try using both the short and long versions of filenames.

• Try using different casing for filenames and folder names.

• Try inserting and appending encoded special characters , such as tabs, spaces, nulls, and CR/LFs.

• Attempt to access files using different techniques, such as by UNC or \\?\.

• Add illegal characters to the value to see what happens.

• Use encoding techniques, such as UTF-8, UCS-2, and overlong UTF-8, to try to fool the parser.

• Use double-encoding techniques, especially if you notice the application decodes the values.

• Express your HTML characters using different escape codes; especially try padding with zeros.