Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Is URL encoding required.

from [Sharma, Amit] Network Security [Permanent Link]
Subject: Is URL encoding required.
Date: Mon, 27 Nov 2006 20:04:22 -0500 

Hi,

I have a generic web application HTTP question that came out of my
experiments with webscarab
If I have a GET request containing non alphanumeric characters like '&'
then are we supposed to always URL encode them before sending it to the
web server?
And is it always guaranteed that the server will url decode it prior to
consuming the url.


My understanding was that you always have to url encode. However, I was
playing with webscarab and saw a few raw GET requests to web of the
form:
http://example.com/abc=123&def=456&xyz
Shouldn't they go the server as
http://example.com/abc=123%26def=456%26xyz

Or it is just that webscarab is decoding it for me.

Thanks very much,
Amit






- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - - -

This message is intended only for the personal and confidential use of the 
designated recipient(s) named above.  If you are not the intended recipient of 
this message you are hereby notified that any review, dissemination, 
distribution or copying of this message is strictly prohibited.  This 
communication is for information purposes only and should not be regarded as an 
offer to sell or as a solicitation of an offer to buy any financial product, an 
official confirmation of any transaction, or as an official statement of Lehman 
Brothers.  Email transmission cannot be guaranteed to be secure or error-free.  
Therefore, we do not represent that this information is complete or accurate 
and it should not be relied upon as such.  All information is subject to change 
without notice.

--------
IRS Circular 230 Disclosure:
Please be advised that any discussion of U.S. tax matters contained within this 
communication (including any attachments) is not intended or written to be used 
and cannot be used for the purpose of (i) avoiding U.S. tax related penalties 
or (ii) promoting, marketing or recommending to another party any transaction 
or matter addressed herein.



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan 7.0 is the market-share leading web application s
ecurity scanner and is trusted by more security professionals to provide 
the visibility and control required to address this critical challenge.
See for yourself. Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Is URL encoding required., Sharma, Amit <=
Previous by Date:  Fwd: SF new column announcement: A Hard Lesson in Privacy, Andrew van der Stock
Next by Date:  Re: [WEB SECURITY] The state of JavaScript Hacking, bugtraq
Previous by Thread:  Fwd: SF new column announcement: A Hard Lesson in Privacy, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]