Chapter 3  ■ Web Application Technologies

Encoding Schemes

Web applications employ several different encoding schemes for their data.

Both the HTTP protocol and the HTML language are historically text-based,

and different encoding schemes have been devised to ensure that unusual

characters and binary data can be safely handled by these mechanisms. When

you are attacking a web application, you will frequently need to encode data

using a relevant scheme to ensure that it is handled in the way you intend. Fur-

ther, in many cases you may be able to manipulate the encoding schemes used

by an application to cause behavior that its designers did not intend. 

URL Encoding

URLs are permitted to contain only the printable characters in the US-ASCII

character set — that is, those whose ASCII code is in the range 0x20–0x7e

inclusive. Further, several characters within this range are restricted because

they have special meaning within the URL scheme itself or within the HTTP

protocol.

The URL encoding scheme is used to encode any problematic characters

within the extended ASCII character set so that they can be safely transported

over HTTP. The URL-encoded form of any character is the 

%

prefix followed by

the character’s two-digit ASCII code expressed in hexadecimal. Some exam-

ples of characters that are commonly URL-encoded are shown here:

%3d  =

%25  %

%20  space

%0a  new line

%00  null byte

A further encoding to be aware of is the 

+

character, which represents a URL-

encoded space (in addition to the 

%20

representation of a space).

Download 5,76 Mb.

Do'stlaringiz bilan baham: