background preloader

URL Encoding

URL Encoding
RFC 1738: Uniform Resource Locators (URL) specification The specification for URLs (RFC 1738, Dec. '94) poses a problem, in that it limits the use of allowed characters in URLs to only a limited subset of the US-ASCII character set: "...Only alphanumerics [0-9a-zA-Z], the special characters "$-_.+! HTML, on the other hand, allows the entire range of the ISO-8859-1 (ISO-Latin) character set to be used in documents - and HTML4 expands the allowable range to include all of the Unicode character set as well. URLs should be encoded everywhere in an HTML document that a URL is referenced to import an object (A, APPLET, AREA, BASE, BGSOUND, BODY, EMBED, FORM, FRAME, IFRAME, ILAYER, IMG, ISINDEX, INPUT, LAYER, LINK, OBJECT, SCRIPT, SOUND, TABLE, TD, TH, and TR elements.) What characters need to be encoded and why? How are characters URL encoded? Example Space = decimal code point 32 in the ISO-Latin set. 32 decimal = 20 in hexadecimal The URL encoded representation will be "%20" URL encoding converter

Hacking Exposed - Web Applications Category:Attack This category is for tagging common types of application security attacks. What is an attack? Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. All attack articles should follow the Attack template. Examples: Brute Force: Is an exhaustive attack that works by testing every possible value of a parameter (password, file name, etc.) Note: many of the items marked vulnerabilities from CLASP and other places are really attacks. Subcategories This category has the following 12 subcategories, out of 12 total. Pages in category "Attack" The following 68 pages are in this category, out of 68 total.

List of HTTP status codes Response codes of the Hypertext Transfer Protocol The Internet Assigned Numbers Authority (IANA) maintains the official registry of HTTP status codes.[1] All HTTP response status codes are separated into five classes or categories. 1xx informational response – the request was received, continuing process2xx successful – the request was successfully received, understood, and accepted3xx redirection – further action needs to be taken in order to complete the request4xx client error – the request contains bad syntax or cannot be fulfilled5xx server error – the server failed to fulfil an apparently valid request 1xx informational response An informational response indicates that the request was received and understood. 100 Continue 101 Switching Protocols The requester has asked the server to switch protocols and the server has agreed to do so. 102 Processing (WebDAV; RFC 2518) A WebDAV request may contain many sub-requests involving file operations, requiring a long time to complete the request.

HTTP Headers for Dummies Whether you're a programmer or not, you have seen it everywhere on the web. At this moment your browsers address bar shows something that starts with " Even your first Hello World script sent HTTP headers without you realizing it. In this article we are going to learn about the basics of HTTP headers and how we can use them in our web applications. What are HTTP Headers? HTTP stands for "Hypertext Transfer Protocol". HTTP headers are the core part of these HTTP requests and responses, and they carry information about the client browser, the requested page, the server and more. Example When you type a url in your address bar, your browser sends an HTTP request and it may look like this: First line is the "Request Line" which contains some basic info on the request. After that request, your browser receives an HTTP response that may look like this: The first line is the "Status Line", followed by "HTTP headers", until the blank line. How to See HTTP Headers Firebug Live HTTP Headers Host

Research Labs Cost: FreeSource Code: GitHubVersion: (XMAS edition)Requirements: .Net FrameworkLicense: GPLRelease Date: 2008-12-14Recent Changes:Fixed incorrect links spider bugAdded time anomaly functionality in back-end scanner.Added easy access (and icons) to findings in back-end scanner.Fixed executable finding occasionally not showing bug. Wikto is Nikto for Windows - but with a couple of fancy extra features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.

Testing Your Web Applications for Cross-Site Scripting Vulnerabilities Published: May 6, 2005 by Chris Weber, Casaba Security, LLC ( By now there’s no argument that cross-site scripting attacks are real and potently dangerous. XSS attacks involve three parties: The attacker The victim The vulnerable Web site that the attacker exploits to take action on the victim Out of the three parties, the victim is the only one who actually runs the attacker’s code. What does an XSS vulnerability look like? XSS vulnerabilities exist when a Web application accepts user input through HTTP requests such as a GET or a POST and then redisplays the input somewhere in the output HTML code. 1. GET 2. <h1>Section Title</h1> You can see that the user input passed to the “title” query string parameter was probably placed in a string variable and inserted by the Web application into an <h1>tag. 3. The attacker could inject code by breaking out of the <h1>tag: There are many variations to try.

Password Checker - Evaluate pass strength, dictionary attack Nessus Vulnerability Scanner With Advanced Support for Nessus Pro, your teams will have access to phone, Community, and chat support 24 hours a day, 365 days a year. This advanced level of technical support helps to ensure faster response times and resolution to your questions and issues. Advanced Support Plan Features Phone Support Phone support 24 hours a day, 365 days a year, available for up to ten (10) named support contacts. Chat Support Chat support available to named support contacts, accessible via the Tenable Community is available 24 hours a day, 365 days a year. Tenable Community Support Portal All named support contacts can open support cases within the Tenable Community. Initial Response Time P1-Critical: < 2 hr P2-High: < 4 hr P3-Medium: < 12 hr P4-Informational: < 24 hr Support Contacts Support contacts must be reasonably proficient in the use of information technology, the software they have purchased from Tenable, and familiar with the customer resources that are monitored by means of the software.

Paros sqlmap: automatic SQL injection and database takeover tool SMSI et ISO 27001 On réduit souvent la problématique de la documentation d'un SMSI a besoin de construire un systèmes documentaire sur 4 niveaux : Mais les besoins de construire la documentation d'un SMSI vont bien au delà du seul besoin de documenter les processus liés à la sécurité. La rédaction des procédures doit permettre une meilleure compréhension du processus. Le fait d’écrire facilite un raisonnement rationnel scientifique. Il faut s'inspirer des études et recherches sur les enjeux, bénéfices de la documentation de la qualité dans une organisation ISO 9000. Un référentiel qualité ISO 9000 constitue un outil de management des connaissances qui conduit à une explicitation et une diffusion des savoirs dans l'entreprise. un processus de partage d'expériences développant de fait des aptitudes techniquesla transformation de concepts en connaissances explicitesun moyen d'assimilation de ces connaissances explicites en savoirs faire opérationnels Néanmois certains freins sont plus spécifiques aux SMSI :