Re: Why is "oN%3d" so dangerous?

From: Joe Kaplan \(MVP - ADSI\) (
Date: 10/01/04

  • Next message: Nicole Calinoiu: "Re: Why is "oN%3d" so dangerous?"
    Date: Fri, 1 Oct 2004 10:09:41 -0500

    I've wondered about this too. It seems you can't put straight base64 text
    on a query string because it needs to be encoded. However, you sometimes
    run into funny encoding issues.

    One thing that I'm pretty sure you can do with impunity is hex-encode your
    binary encrypted data and then just put the hex string string on the query
    string. .NET doesn't seem to have helpful hex-encoding functions like the
    Base64 functions, but it isn't hard to write your own.

    Sorry I didn't answer your actual question. I have no idea on that part.

    Joe K.

    "Mike Kozlowski" <> wrote in message
    > In an ASP.NET 1.1 application, I'm encrypting URL parameters. This
    > has mostly been working great, but yesterday, one particular URL got
    > caught by the XSS checker, giving me the "A potentially dangerous
    > Request.QueryString value was detected from the client". Several
    > questions arise from this:
    > 1. By reducing the querystring down as much as possible, I've found
    > that the offending characters are "oN%3d" -- removing the o, the
    > N, or the %3d, will all result in the string being okay; but
    > leaving all of them together like that triggers the validator.
    > Why? This is completely inexplicable to me.
    > 2. What on earth can I do to avoid this? I'm already URL-encoding
    > (that %3d, obviously, was an '=' character), and HTML-encoding
    > doesn't seem like it'd have any effect on that string. I'd really
    > like to be able to pass random strings around without seemingly
    > innocuous characters triggering hard-fail validations.
    > Advice? Explanation?
    > --
    > Mike Kozlowski

  • Next message: Nicole Calinoiu: "Re: Why is "oN%3d" so dangerous?"