规范表示是什么意思及其对网站的潜在漏洞 [英] What does Canonical Representation mean and its potential vulnerability to websites
问题描述
我在google上搜索了规范表示的含义,然后发现文档太含糊了。任何人都可以快速解释规范表示形式,以及网站中针对规范表示攻击的一些典型漏洞吗?
I searched on google for a meaning of canonical representation and turned up documents that are entirely too cryptic. Can anyone provide a quick explanation of canonical representation and also what are some typical vulnerabilities in websites to canonical representation attacks?
推荐答案
规范化是
例如,如果您的Web应用程序仅允许输入,例如文件名或字符串,然后将其转换为标准表示形式。访问C:\\ sites \\ mydomain下的文件,那么通常将任何引用文件名的输入规范化为物理直接路径,而不是使用相对路径的输入。如果要打开C:\网站\mydomain\example\example.txt,则该函数的一个输入可能是example\example.txt。如果这超出了您网站的边界,将很难解决,因此规范化功能将查看应用程序目录,并将该相对路径更改为物理路径,即C:\websites\mydomain\example\example 。文本文件。显然,这很容易检查,因为您只需在文件路径的开头进行字符串比较即可。
For example if your web application only allows access to files under C:\websites\mydomain then typically any input referring to filenames is canonicalised to be a physical, direct path, rather than one which uses relative paths. If you wanted to open C:\websites\mydomain\example\example.txt one input into that function may be example\example.txt. It's hard to work out if this goes outside the boundaries of your web site, so the canonicalisation function would look at the application directory and change that relative path into a physical one, C:\websites\mydomain\example\example.txt. This is obviously easier to check as you simply do a string compare on the start of the file path.
对于HTML输入,您可以输入%20之类的输入,并通过取消编码对其进行规范化,因此这将变成一个空格。这是个好主意,因为编码的不同方式数量众多,规范化意味着您只检查已解码的字符串,而不是尝试覆盖所有编码变体。
For HTML inputs you take inputs like %20 and canonicalise them by unencoding, so this would turn into a space. This is a good idea as the number of different ways of encoding are numerous, canonicalisation means you would check the decoded string only, rather than try to cover all the encoding variations.
基本上,您正在接受逻辑上等效的输入,并将其转换为标准格式,然后可以对其进行操作。
Basically you are taking input which is logically equivalent and converting them to a standard form which you can then act upon.
这篇关于规范表示是什么意思及其对网站的潜在漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
