Actions
Feature #524
closeddetect double encoding in URI
Effort:
Difficulty:
Label:
Description
Update libhtp/suricata to detect double encoding in URI path and query string.
Updated by Anoop Saldanha almost 13 years ago
Is this update libhtp or suricata?
Updated by Victor Julien almost 13 years ago
I think the least performance impacting way would be in the current libhtp decode routines. It would be best if we can do it w/o doing a separate pass over the data.
Updated by Victor Julien over 12 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
Talking to libhtp upstream for determining the best strategy here.
Updated by Philippe Antoine about 6 years ago
What is expected here ? ie what do you mean by "detect" ?
Should we trigger an http event ? Or should we double decode the URI if necessary ? (and keep raw uri as is already done)
Updated by Victor Julien about 6 years ago
I think the idea is/was that double decoding is possibly used as an evasion technique, so we want to be able to decode it and indeed match on the fact that its double decoded. So a http event indeed.
Updated by Victor Julien about 6 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 5.0rc1
Actions