Re: Why is "oN%3d" so dangerous?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: Fri, 1 Oct 2004 10:09:41 -0500
I've wondered about this too. It seems you can't put straight base64 text
on a query string because it needs to be encoded. However, you sometimes
run into funny encoding issues.
One thing that I'm pretty sure you can do with impunity is hex-encode your
binary encrypted data and then just put the hex string string on the query
string. .NET doesn't seem to have helpful hex-encoding functions like the
Base64 functions, but it isn't hard to write your own.
Sorry I didn't answer your actual question. I have no idea on that part.
"Mike Kozlowski" <firstname.lastname@example.org> wrote in message
> In an ASP.NET 1.1 application, I'm encrypting URL parameters. This
> has mostly been working great, but yesterday, one particular URL got
> caught by the XSS checker, giving me the "A potentially dangerous
> Request.QueryString value was detected from the client". Several
> questions arise from this:
> 1. By reducing the querystring down as much as possible, I've found
> that the offending characters are "oN%3d" -- removing the o, the
> N, or the %3d, will all result in the string being okay; but
> leaving all of them together like that triggers the validator.
> Why? This is completely inexplicable to me.
> 2. What on earth can I do to avoid this? I'm already URL-encoding
> (that %3d, obviously, was an '=' character), and HTML-encoding
> doesn't seem like it'd have any effect on that string. I'd really
> like to be able to pass random strings around without seemingly
> innocuous characters triggering hard-fail validations.
> Advice? Explanation?
> Mike Kozlowski