Chapter 11.  Preventing Common Problems

Table of Contents

The Generic Meta-Characters Problem
Attacks on The Users
Cross-Site Scripting
Attacks on the System
Direct SQL Commands
Direct OS Commands
Path Traversal and Path Disclosure
Null Bytes
Canonicalization
URL Encoding
Parameter Manipulation
Cookie Manipulation
HTTP Header Manipulation
HTML Form Field Manipulation
URL Manipulation
Miscellaneous
Vendors Patches
System Configuration
Comments in HTML
Old, Backup and Un-referenced Files
Debug Commands
Default Accounts

The Generic Meta-Characters Problem

Meta characters are non-printable and printable characters, which affect the behavior of programming language commands, operating system commands, individual program procedures and database queries. Meta-Characters can be encoded in non-obvious ways, so canonicalization of data (conversion to a common character set) before stripping meta-characters is essential.

Example meta-characters and typical uses can be found below.

[ ; ] Semicolons for additional command-execution
[ | ] Pipes for command-execution
[ ! ] Call signs for command-execution
[ & ] Used for command-execution
[ x20 ] Spaces for faking urls and other names (especial in URLs!)
[ x00 ] Nullbytes for truncating strings and filenames
[ x04 ] EOT for faking file ends
[ x0a ] New lines for additional command-execution
[ x0d ] New lines for additional command-execution
[ x1b ] Escape
[ x08 ] Backspace
[ x7f ] Delete
[ ~ ] Tildes
[ ' " ] Quotation marks (often in combination with database-queries)
[ - ] in combination with database-queries and creation of negative numbers
[ *% ] used in combination with database-queries
[ ` ] Backticks for command execution
[ /\ ] Slashes and Backslashes for faking paths and queries
[ <> ] LTs and GTs for file-operations
[ <> ] for creating script-language related TAGS within documents on webservers!
[ ? ] Programming/scripting- language related
[ $ ] Programming/scripting- language related
[ @ ] Programming/scripting- language related
[ : ] Programming/scripting- language related
[ ({[]}) ] Programming/scripting/regex and language-related
[../] two dots and a slash or backslash - for faking filesystem paths

There are very few reasons why these characters should form legitimate input to web applications. The following sections describe in more detail some of the ways in which they are used to mount attacks on both systems and users.