[WEB SECURITY] Repository of site URL structures?

Andres Riancho andres.riancho at gmail.com
Tue Jun 21 14:58:43 EDT 2011


Chris,

On Tue, Jun 21, 2011 at 2:49 PM, Chris Weber <chris at casabasecurity.com> wrote:
> What are you trying to do Robert?  I've been amassing a list of URIs and
> IRIs for testing purposes, you can check it out here:
>
> https://github.com/cweb/iri-tests/blob/master/tests.xml

Awesome stuff :) Quick question, how do you know what's the real
expected result? For example in:

<test>
    <id>0022</id>
    <uri>http://0022.iris.test.ing/a-umlaut/?x=ä&#x0023;#ä#ä</uri>
    <expected>
      <protocol>http:</protocol>
      <host>0022.iris.test.ing</host>
      <hostname>0022.iris.test.ing</hostname>
      <port></port>
      <pathname>/a-umlaut</pathname>
      <search>?x=ä&#x0023;</search>
      <hash>#ä#ä</hash>
    </expected>
    <comment>non-ASCII character in query string and fragment</comment>
  </test>

Where did all the stuff in <expected></expected> came from? Have you
tested all these in IE, Firefox, Safari, Opera and extracted expected
results from there?

> Webkit also has a testing suite at
> http://trac.webkit.org/browser/trunk/LayoutTests/fast/url/ Note: I'm in
> process of incorporating all of these tests into my test.xml above.
>
> Everyone is definitely not following the RFC guidelines consistently.  I
> built a test harness that correlates the DOM parsing of these URIs with the
> HTTP request and the DNS queries.  The differences are dramatic in some
> cases.
>
> Thanks,
> -Chris
>
>
> -----Original Message-----
> From: websecurity-bounces at lists.webappsec.org
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Robert A.
> Sent: Tuesday, June 21, 2011 10:36 AM
> To: websecurity at lists.webappsec.org
> Subject: [WEB SECURITY] Repository of site URL structures?
>
> Hello everyone,
> Is anyone aware of a site that contains a list of funky url structures used
> by production sites? I am not looking for a reply telling me I should look
> at the RFC guidelines because not everyone may be following them.
>
> Regards,
> - Robert
> http://www.qasec.com/
> http://www.webappsec.org
> http://www.cgisecurity.com
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af




More information about the websecurity mailing list