WE1&2

Advanced Topics –
Character Encoding

What is a dot?

Double dot sequences are recognized and rejected (by web server, IDS, application).

–A dot is a dot, e.g. /app/../admin/shutdown

–URL encoded, it is /app/%2e%2e/admin/shutdown

–IIS extension: /app/%u002e%u002e/admin/shutdown

–Double encoded: /app/%252e%252e/admin/shutdown

–UTF-8 overlong (2 bytes), un-URL-encoded:

/app/(C0)(AE)(C0)(AE)/admin/shutdown

–UTF-8 overlong (2bytes), URL-encoded:

/app/%c0%ae%c0%ae/admin/shutdown

–