[Esapi-user] disabling logging

Kevin W. Wall kevin.w.wall at gmail.com
Tue Sep 28 21:34:57 EDT 2010

Jeff Williams wrote:
> Hmm...August is right.  This isn't the IntrusionDetector.  This is an
> IntrusionException thrown directly by the canonicalize() method when it
> encounters double-encoding.   That's why disabling the IntrusionDetector
> isn't helping here.
> There are a few workarounds that would allow this to work, but I'm not
> sure how far down this road we want to go.  In my opinion, having a
> double-encoded cookie doesn't make a lot of sense and we shouldn't go
> out of our way to accommodate it.

Yesterday, while helping someone with a security evaluation of a 3rd
party portal written in PHP, I ran across a *triple* URL encoded cookie!
Amazing... here is the Cookie: header...

Cookie: eternalchip=MTU1LjcwLjM5LjQ1OjEyODQ5OTMyMTI%3D;
session=1969df7fcaaa937aa1ecf388270c772b9cf792ff-1284993212; s_nr=1284993261522;
dslv=1285604652365; __qca=P0-1046893203-1285344060654;
dslv_s=Less%20than%207%20days; temporalchip=MTU1LjcwLjM5LjQ1OjEyODU2MDQ0Mjk%3D;

The s_sq cookie name is the one that is triple URL encoded. (I've obfuscated the
domain name to protect the guilty. ;-)

No explanation from the vendor other than "that's how it works".

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list