Re: Extended ASCII characters used for injection

On Tue, Oct 19, 2010 at 8:06 AM, Nibbler <enibbler@gmail.com> wrote:
>
> I have a web app and I want to block special characters in URL on the
> web server. Do you know if there is a risk of injection (XSS...) with
> extended ASCII char (%7f-%ff)?
> Is there any reason to block these characters?

Whether or not there is a known attack vector in the character-set, it
is a good practice to enumerate & allow only what you need
(whitelisting) rather than trying to define and block badness
(blacklisting)...

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

• This message: [ Message body ]
• Next message: Thomas Biege: "cookie with empty domain field"
• Previous message: Simon XanthiX: "Re: Extended ASCII characters used for injection"
• In reply to: Nibbler: "Extended ASCII characters used for injection"
• Next in thread: Chris Weber: "RE: Extended ASCII characters used for injection"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]