W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2008

(issue 30) - concrete security-related examples

From: Amit Klein <aksecurity@gmail.com>
Date: Thu, 11 Sep 2008 22:05:47 +0200
Message-ID: <48C97A1B.1090007@gmail.com>
To: ietf-http-wg@w3.org

LWS should not be allowed between the field name and the colon. See the 
section 'The “Double CR in an HTTP header” technique (and the “header 
SP” technique)' in 
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

Lone CR should not be allowed. See the section 'The “Double CR in an 
HTTP header” technique (and the “header SP” technique)' in 
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (NOTE: we 
dubbed it "double CR" because it is part of a sequence CR+CR+LF).

Invalid chars in field name: e.g. use of underscore for attack is 
discussed in 
http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html

-Amit
Received on Thursday, 11 September 2008 19:01:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:54 GMT