LWS should not be allowed between the field name and the colon. See the section 'The “Double CR in an HTTP header” technique (and the “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf Lone CR should not be allowed. See the section 'The “Double CR in an HTTP header” technique (and the “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (NOTE: we dubbed it "double CR" because it is part of a sequence CR+CR+LF). Invalid chars in field name: e.g. use of underscore for attack is discussed in http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html -AmitReceived on Thursday, 11 September 2008 19:01:50 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:22:29 GMT