my understanding of this is
if the input arrives as any kind of metacharacter \0x32 for an ascii
space it must be converted to a space
before the parser looks at it.
-----Original Message-----
From: susam_pal@yahoo.co.in [mailto:susam_pal@yahoo.co.in]
Sent: 11 April 2006 14:12
To: webappsec@securityfocus.com
Subject: Canonicalization
I found the following paragraph in owasp.org. Can someone please
elaborate on this?
Parameters must be converted to the simplest form before they are
validated, otherwise, malicious input can be masked and it can slip past
filters. The process of simplifying these encodings is called
"canonicalization."
------------------------------------------------------------------------
-
This List Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--
This e-mail is intended for the named recipient(s). It and any attachments may
contain privileged and/or confidential information. They may not be disclosed
to or used by or copied in any way by anyone other than the intended recipient.
If you are not one of the intended recipients, or this email is received in
error, please immediately either notify the sender or contact OAG Worldwide
Limited on +44 (0) 1582 600111 quoting the name of the sender and the email
address to which it has been sent and then delete it and any attachment(s).
While all reasonable efforts are made to safeguard inbound and outbound
e-mails, OAG Worldwide Limited and its affiliate companies cannot guarantee
that attachments do not contain any viruses or are compatible with your
systems, and does not accept liability in respect of viruses or computer
problems experienced. Neither OAG Worldwide Limited nor the sender accepts any
responsibility for viruses and it is your responsibility to scan or otherwise
check this email and any attachments.
OAG Worldwide Limited may monitor or record outgoing and incoming e-mail to
secure effective system operation and for other lawful purposes. By replying
to this email you give your consent to such monitoring.
Thank you.
OAG Worldwide Limited is a company registered in England and Wales (registered
number 4226716), with its registered office at Church Street, Dunstable,
Bedfordshire, LU5 4HB, United Kingdom.
-------------------------------------------------------------------------
This List Sponsored by: SPI Dynamics
ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
