[WEB SECURITY] Repository of site URL structures?

Achim Hoffmann websec10 at sic-sec.org
Wed Jun 22 16:02:17 EDT 2011


Hi Andres,

> Just noticed that you might be missing the test where you have a
> param:    http://www.w3af.com/foo/bar?spam;eggs=1    (eggs=1) is the
> param.

not sure what's your question here, but according RFC1738 you have a 
"searchpart" (aka query string) which is in your example
	spam;eggs=1

For those tools/frameworks/whatever which believe that a query string
consist of key=value pairs which must be separated by & the key here
would be
	spam;eggs
and the value
	1

The ; in the path of an URL is the delimiter for parameters, it should
not be a special character in the searchpart. Example:
	http://f.q.d.n//path/to/file;parameter=2;par=3?search&key=val;ue

Therefore you have to URL-encode ; in the path, 'cause it separates path
from parameters, but it's not necessary in the searchpart.

All RFCs are wake about URL-encoding of special characters like / ; = | @

IIRC the same applies to | but don't have seen examples for that since
a very long time (may be back when Netscape Servers dominated Internet:)

Sorry for being a bit off-topic, but hope it helps. At least Robert's 
examples with the ; in behind the FQDN are subject to it too, somehow.

Ciao,
Achim





More information about the websecurity mailing list