Previous Next

• 08-19-2008, 1:46 PM

  e1ny Joined on 12-10-2007, 4:50 PM Posts 130

  percent-00 in URL? Reply Contact Hi All: what does putting a percent sign followed by a double zero do exactly in a URL? It seems to break IE7 completely while FF3 displays some extended character. I'm trying to address a vulnerability where someone's sending %-2500 in the URL (without the hyphen), which is parsed as the first string (since the %-25 is converted to a % when decoded). I'm trying to strip it out but I can't seem to write any server-side script to deal with it? It's like once it's been parsed its invisible?

• 08-19-2008, 2:35 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 98	Re: percent-00 in URL? Reply Contact Can you please post the specific rule that's causing the failure and the specific URL/QueryString that the client is sending? Thanks, -Wade

• 08-19-2008, 4:05 PM

  In reply to

  e1ny Joined on 12-10-2007, 4:50 PM Posts 130

  Re: percent-00 in URL? Reply Contact The demo URL to cause the failure looks like: http://www.mydomain.com/ScanAlert%2500.cfm I send all 404s to an ASP page that grabs the URL from the QS, so I end up with a raw QS like: 404;http://www.mydomain.com:80/scanalert%00.cfm Then I pass that URL through a function to strip malicious characters, but now, I see where I was going wrong. The first thing I did in the function was to unescape the string, so I could filter and escaped characters, like "<" and remove them. But after playing with my script, I see that if I escape the string instead of unescaping I'll see: 404%3Bhttp%3A//www.mydomain.com%3A80/scanalert%2500.cfm So now, it seems like instead of unescaping, I need to escape first...I'm wondering what the best way to handle this is, however? should I just escape the string and then try to remove all malicious escape sequences? I guess that's no different from doing an interative replace on "<", " ' ', etc.? This is legacy code in a website that has other problems, like non-parameterized SQL queries, and this is where the above error was occuring. Would parameterizing the queries protect against an escaped %00? Any comments would be appreciated.

• 08-19-2008, 9:41 PM

  In reply to

  wadeh Joined on 04-19-2005, 10:17 PM Posts 98

  Re: percent-00 in URL? Reply Contact I'm not sure that I understand your process end-to-end, but it seems like your strategy of unescaping each character and comparing it to a list of dangerous characters could work. The caveat, of course, is that you would need to special case %00 in your unescape code.  The issue is that when you unescape this, you are inadvertently terminating the string.  So when you see this, you should either drop it or convert it into a safe character.  Normally, I would advocate just failing a request that has %00 in it, except that this appears to be some kind of failed request logging and you don't want to introduce a way for malicious URLs to escape logging. I hope that this helps, -Wade

• 08-20-2008, 6:42 AM

  In reply to

  e1ny Joined on 12-10-2007, 4:50 PM Posts 130

  Re: percent-00 in URL? Reply Contact Thanks Wade...just to be clear, this code was designed to prevent sql-injection and cross-site scripting attacks. I rewrote the code to first escape, then strip escaped chars, instead of my original attempt to first unescape, the strip unescaped characters, and this seems to be working. Unescaping %-2500 just allowed the null character to be preserved, which later caused a failure in the SQL query, but now I'm getting rid of it.