[WEB SECURITY] Repository of site URL structures?

Andres Riancho andres.riancho at gmail.com
Thu Jun 23 10:04:21 EDT 2011


Achim,

On Wed, Jun 22, 2011 at 5:02 PM, Achim Hoffmann <websec10 at sic-sec.org> wrote:
> Hi Andres,
>
>> Just noticed that you might be missing the test where you have a
>> param:    http://www.w3af.com/foo/bar?spam;eggs=1    (eggs=1) is the
>> param.
>
> not sure what's your question here, but according RFC1738 you have a
> "searchpart" (aka query string) which is in your example
>        spam;eggs=1

Actually, what I meant was this:

>>> import urlparse
>>> urlparse.urlparse('http://www.w3af.com/filename.py;SESSION=321?id=1')
ParseResult(scheme='http', netloc='www.w3af.com', path='/filename.py',
params='SESSION=321', query='id=1', fragment='')

And I called it "param" not because that's the name in the RFC (AFAIK)
but because that's how python shows it to me :)

> For those tools/frameworks/whatever which believe that a query string
> consist of key=value pairs which must be separated by & the key here
> would be
>        spam;eggs
> and the value
>        1
>
> The ; in the path of an URL is the delimiter for parameters, it should
> not be a special character in the searchpart. Example:
>        http://f.q.d.n//path/to/file;parameter=2;par=3?search&key=val;ue

Not sure if we're saying the same thing or not. What I'm trying to say
is that URLs can have a "special" section that starts with a ";" after
the filename, and tests.xml (as far as I could see) did not cover that
case.

> Therefore you have to URL-encode ; in the path, 'cause it separates path
> from parameters, but it's not necessary in the searchpart.
>
> All RFCs are wake about URL-encoding of special characters like / ; = | @
>
> IIRC the same applies to | but don't have seen examples for that since
> a very long time (may be back when Netscape Servers dominated Internet:)
>
> Sorry for being a bit off-topic, but hope it helps. At least Robert's
> examples with the ; in behind the FQDN are subject to it too, somehow.
>
> Ciao,
> Achim
>
>



-- 
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af




More information about the websecurity mailing list