[WEB SECURITY] file scheme handling of the "|" character

Robert A. robert at webappsec.org
Tue Jun 21 15:53:04 EDT 2011


> While on the topic of URI parsing, were you all aware of this behavior?
>
> http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the
> -file-scheme/
>
> I know someone testing Webkit was as it's in their list of test cases.  But
> I did not realize that some browsers, MSIE and Chrome, will literally
> convert the "|" to a ":" in the drive letter of the path component.
>
> I can see this being a problem for security filters, but can't think of
> anything specific.

Interesting. Here's another odd behavior that I couldn't convert to a 
abuse case, but may be useful to someone.

http://www.cgisecurity.com/2010/03/random-firefox-url-handling.html

Regards,
- Robert

>
> -Chris
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list