- From: Amit Klein <aksecurity@gmail.com>
- Date: Thu, 11 Sep 2008 22:05:47 +0200
- To: ietf-http-wg@w3.org
LWS should not be allowed between the field name and the colon. See the section 'The “Double CR in an HTTP header” technique (and the “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf Lone CR should not be allowed. See the section 'The “Double CR in an HTTP header” technique (and the “header SP” technique)' in http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf (NOTE: we dubbed it "double CR" because it is part of a sequence CR+CR+LF). Invalid chars in field name: e.g. use of underscore for attack is discussed in http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html -Amit
Received on Thursday, 11 September 2008 19:01:50 UTC