This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 ClientSideCodeBrowserDefPol

From OWASP
Revision as of 03:02, 30 July 2014 by Larry Conklin (talk | contribs) (Created page with " Browser Defense Scheme: // Login.passworld@ addess :port /path/to/resource ?query_string #fragment 1. Scheme/protocol name 2. Indicator of a hierarchical URL (constant)_ 3...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Browser Defense


Scheme: // Login.passworld@ addess :port /path/to/resource ?query_string #fragment

1. Scheme/protocol name 2. Indicator of a hierarchical URL (constant)_ 3. Credentials to access the resource (optional) 4. Server to retrieve the data from 5. Port number to connect to (optional) 6. Hierarchical Unix path to a resource 7. “Query string” parameters (optional) 8. “Fragment identifier” (optional)

If application allows user-supplied data in the URL then the code reviewer needs to make sure the path, query or Fragment Id Code data is validated.

Make sure user-supplied scheme name or authority section has good input validation. This is a major code injection and phishing risk. Only permit prefixes needed by the application. Do not use blacklisting. Code reviewer should make sure only whitelisting is used for validation.

Make sure authority section should only contain alphanumerics, “-“, and “.” And be followed by “/”, “?”,”#”. The risk here an IDN homograph attack.

Code reviewer needs to make sure the programmer is not assuming default behavior because the programmers browser properly escapes a particular character or browser standard says the character will be escaped properly before allowing any URL-derived values are put inside a database query or the URL is echoed back to the user.

Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_ClientSideCodeBrowserDefPol&oldid=179478"