Project

General

Profile

Actions
Copy link

Feature #524

closed
VJ PA

detect double encoding in URI

Feature #524: detect double encoding in URI

Added by Victor Julien over 13 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
5.0rc1
Effort:
Difficulty:
Label:

Description

Update libhtp/suricata to detect double encoding in URI path and query string.

AS Updated by Anoop Saldanha over 13 years ago Actions
Copy link
 #1

Is this update libhtp or suricata?

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #2

I think the least performance impacting way would be in the current libhtp decode routines. It would be best if we can do it w/o doing a separate pass over the data.

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #3

  • Target version changed from 1.4 to 1.4beta2

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #4

  • Target version changed from 1.4beta2 to 1.4beta3

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #5

  • Target version changed from 1.4beta3 to 1.4rc1

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #6

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien

Talking to libhtp upstream for determining the best strategy here.

VJ Updated by Victor Julien over 13 years ago Actions
Copy link
 #7

  • Target version changed from 1.4rc1 to 2.0rc2

VJ Updated by Victor Julien about 13 years ago Actions
Copy link
 #8

  • Parent task set to #775

VJ Updated by Victor Julien about 12 years ago Actions
Copy link
 #9

  • Target version changed from 2.0rc2 to 3.0RC2

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #10

  • Target version changed from 3.0RC2 to 70

VJ Updated by Victor Julien about 9 years ago Actions
Copy link
 #11

  • Status changed from Assigned to New
  • Assignee changed from Victor Julien to OISF Dev
  • Target version changed from 70 to TBD

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #12

  • Assignee changed from OISF Dev to Philippe Antoine
  • Target version changed from TBD to 70
  • Parent task deleted (#775)

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #13

  • Status changed from New to Assigned

PA Updated by Philippe Antoine almost 7 years ago Actions
Copy link
 #14

What is expected here ? ie what do you mean by "detect" ?
Should we trigger an http event ? Or should we double decode the URI if necessary ? (and keep raw uri as is already done)

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #15

I think the idea is/was that double decoding is possibly used as an evasion technique, so we want to be able to decode it and indeed match on the fact that its double decoded. So a http event indeed.

VJ Updated by Victor Julien almost 7 years ago Actions
Copy link
 #16

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 5.0rc1
Actions
Copy link

Also available in: PDF Atom