Hi Taras,
On Tue, May 19, 2009 at 11:59 PM, Taras P. Ivashchenko
<naplan...@gmail.com>wrote:
>
> How often in real there is such situation (when some input param is echoed
> back to the browser after url decoding)?
>
> I think it's a real risk and we should at least allow for a possibility to
test for it. I've seen it multiple times in cases where there is input
filtering and no output filtering, and somewhere after the input filtering
is done (and the obvious dangerous characters like tags and quotes are
removed), one of the libraries unencodes the input variable and converts it
from safe to dangerous. URL encoded strings are on the XSS cheatsheet under
"URL string evasion, URL encoding" and also are the first output option on
the "Character Encoding Calculator", so the people will definitely poke for
that.
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
