[WEB SECURITY] Repository of site URL structures?
Andres Riancho
andres.riancho at gmail.com
Thu Jun 23 10:04:21 EDT 2011
Achim,
On Wed, Jun 22, 2011 at 5:02 PM, Achim Hoffmann <websec10 at sic-sec.org> wrote:
> Hi Andres,
>
>> Just noticed that you might be missing the test where you have a
>> param: http://www.w3af.com/foo/bar?spam;eggs=1 (eggs=1) is the
>> param.
>
> not sure what's your question here, but according RFC1738 you have a
> "searchpart" (aka query string) which is in your example
> spam;eggs=1
Actually, what I meant was this:
>>> import urlparse
>>> urlparse.urlparse('http://www.w3af.com/filename.py;SESSION=321?id=1')
ParseResult(scheme='http', netloc='www.w3af.com', path='/filename.py',
params='SESSION=321', query='id=1', fragment='')
And I called it "param" not because that's the name in the RFC (AFAIK)
but because that's how python shows it to me :)
> For those tools/frameworks/whatever which believe that a query string
> consist of key=value pairs which must be separated by & the key here
> would be
> spam;eggs
> and the value
> 1
>
> The ; in the path of an URL is the delimiter for parameters, it should
> not be a special character in the searchpart. Example:
> http://f.q.d.n//path/to/file;parameter=2;par=3?search&key=val;ue
Not sure if we're saying the same thing or not. What I'm trying to say
is that URLs can have a "special" section that starts with a ";" after
the filename, and tests.xml (as far as I could see) did not cover that
case.
> Therefore you have to URL-encode ; in the path, 'cause it separates path
> from parameters, but it's not necessary in the searchpart.
>
> All RFCs are wake about URL-encoding of special characters like / ; = | @
>
> IIRC the same applies to | but don't have seen examples for that since
> a very long time (may be back when Netscape Servers dominated Internet:)
>
> Sorry for being a bit off-topic, but hope it helps. At least Robert's
> examples with the ; in behind the FQDN are subject to it too, somehow.
>
> Ciao,
> Achim
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
More information about the websecurity
mailing list