Re: IE URL obfuscation bug, part 2 -- failure to send server the full obfuscated URL

From: Felix Kasza (felixk2_at_MVPS.ORG)
Date: 12/11/03

  • Next message: Nick FitzGerald: "Re: IE URL obfuscation"
    Date:         Thu, 11 Dec 2003 20:12:51 +0100


    > User types into the URL bar:
    > [...]
    > So the server is unable to see the original URL,
    > with the obfuscated portions. [...]

    The server will never see the 01h byte as part of either host name or
    path, as it is part of the authentication data -- it belongs to the
    "username" part in


    If the server responded with a 401 to the initial request, forcing the
    browser to submit authentication data, the server would get to see the
    01h byte, but still not as part of the URL or host name.


    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified  Promotion expires
    12/31/03 and cannot be used in combination with other offers.

  • Next message: Nick FitzGerald: "Re: IE URL obfuscation"