ASP.NET Canonicalization issues
Many articles talk about ASP. NET canonicalization problem on the Net. But it seems to me like sometimes things are a little bit amplified. Canonicalization is the procedure that determine in which way many equivalent forms of a name are mapped to a unique form.
The problem can be summarized by this : If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass authentication screens. The technique may also work if a space is subsituted for the slash.
Microsoft has published a pretty nice article that can be found there: http://support.microsoft.com/?kbid=887459. The article shows "how to bypass" the canonicalization issue. Of course in the area of programming, nothing has to be taken as so: but anything must be tested.
The C# coding exemple published was like this:
Many articles talk about ASP. NET canonicalization problem on the Net. But it seems to me like sometimes things are a little bit amplified. Canonicalization is the procedure that determine in which way many equivalent forms of a name are mapped to a unique form.
The problem can be summarized by this : If a visitor to an ASP.NET site substitutes '\' or '%5C' for the '/' character in the URL, they may be able to bypass authentication screens. The technique may also work if a space is subsituted for the slash.
Microsoft has published a pretty nice article that can be found there: http://support.microsoft.com/?kbid=887459. The article shows "how to bypass" the canonicalization issue. Of course in the area of programming, nothing has to be taken as so: but anything must be tested.
The C# coding exemple published was like this:
Comments