[Esapi-user] disabling logging

Kevin W. Wall kevin.w.wall at gmail.com
Tue Sep 28 21:34:57 EDT 2010


Jeff Williams wrote:
> Hmm...August is right.  This isn't the IntrusionDetector.  This is an
> IntrusionException thrown directly by the canonicalize() method when it
> encounters double-encoding.   That's why disabling the IntrusionDetector
> isn't helping here.
> 
>  
> 
> There are a few workarounds that would allow this to work, but I'm not
> sure how far down this road we want to go.  In my opinion, having a
> double-encoded cookie doesn't make a lot of sense and we shouldn't go
> out of our way to accommodate it.

Yesterday, while helping someone with a security evaluation of a 3rd
party portal written in PHP, I ran across a *triple* URL encoded cookie!
Amazing... here is the Cookie: header...

Cookie: eternalchip=MTU1LjcwLjM5LjQ1OjEyODQ5OTMyMTI%3D;
session=1969df7fcaaa937aa1ecf388270c772b9cf792ff-1284993212; s_nr=1284993261522;
dslv=1285604652365; __qca=P0-1046893203-1285344060654;
dslv_s=Less%20than%207%20days; temporalchip=MTU1LjcwLjM5LjQ1OjEyODU2MDQ0Mjk%3D;
s_cc=true;
s_sq=xxxxxxxx%3D%2526pid%253Dhomepage%2526pidt%253D1%2526oid%253Dhttps%25253A//www.xxxxxxx.com/login/index.php%2526ot%253DA%2526oi%253D178;
accountstart=1282340959%3A6de919ba09db13279232d7a1fae319aa

The s_sq cookie name is the one that is triple URL encoded. (I've obfuscated the
domain name to protect the guilty. ;-)

No explanation from the vendor other than "that's how it works".

-kevin
-- 
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME


More information about the Esapi-user mailing list