Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

java.net.URI.normalize() problem

from [Felipe Moreno] Network Security [Permanent Link]
Subject: java.net.URI.normalize() problem
Date: Thu, 17 Feb 2005 23:30:09 +0100 
Hi all,

I am working in a J2EE filter to implement an URL-based access control
on a web application. To avoid the possibility of bypassing the
control using manipulated URL paths I was planning on using the
normalize() method in java.net.URI class before applying regexp
filters.

But after some tests (URL and unicode encoded paths) I have found out
that it does not really work. In fact, this method normalizes the path
attribute of the URI object and not the decodedPath as I expected (I'm
using 1.4.2_06). Normalizing before decoding allows for a lot of URL
manipulation attacks like for example:

The URL /images/gif/..%2F../admin/login.jsp will be transformed to
/images/gif/../../admin/login.jsp instead of /admin/login.jsp because
normalize() fails to see %2F as a "/" as one should expect. This could
allow someone to bypass the filters blocking access using a regexp
like /admin.* on the (supposed) normalized form.

I don't see any reason to use the path instead of decodedPath (other
than a bug).  Any thoughts?

So I have implemented my own normalize() method, but I would like to
know what do the people on the list use for URL normalization?

Regards,

Felipe.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ISA Server and SQL Injection, Matthieu Estrade
Next by Date:  RE: ISA Server and SQL Injection, Jeff Robertson
Previous by Thread:  Paros Mac OS X package, Stephen de Vries
Next by Thread:  Re: java.net.URI.normalize() problem, Garth Somerville
Indexes:  [Date] [Thread] [Top] [All Lists]