(issue 30) - concrete security-related examples

LWS should not be allowed between the field name and the colon. See the 
section 'The “Double CR in an HTTP header” technique (and the “header 
SP” technique)' in 
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

Lone CR should not be allowed. See the section 'The “Double CR in an 
HTTP header” technique (and the “header SP” technique)' in 
http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (NOTE: we 
dubbed it "double CR" because it is part of a sequence CR+CR+LF).

Invalid chars in field name: e.g. use of underscore for attack is 
discussed in 
http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html

-Amit

Received on Thursday, 11 September 2008 19:01:50 UTC