Software and web application security

January 10, 2007

IIS 6.0 %uNNNN unicode notation in the URL

Filed under: penetration testing, software security, web apps — chrisweber @ 10:18 pm

I do a lot of web app pen testing. Character encoding is always an important part of many input validation test cases. Some people don’t realize that IIS takes straight unicode notation in the URL by default. So you can pass in unicode characters just by typing the proper notation in ASCII on the URL. For example the following URL’s encode an “s”, a double quote, the Cyrillic small letter “о” which looks a lot like an “o”.

http://somesite.iis/query=unicode-character-%u0073
http://somesite.iis/query=unicode-character-%u0022
http://somesite.iis/query=unicode-character-%u043E

This is controlled by the following registry key and is enabled by default:

HKLM\System\CurrentControlSet\Services\HTTP\Parameters\PercentUAllowed

A Boolean value. If non-zero, Http.sys accepts the %uNNNN notation in request URLs.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: