Hackers attack and defense technology Collection -Web actual articles - Chapter 3, Web application technologies (encoding scheme)

Chapter III, Web application technologies (encoding scheme

Book connected back to the
research and development of different coding schemes for the safe handling of data.
But in many cases, the attacker can control coding scheme, resulting in developers unpredictable behavior.

URL encoding

URL only allows the use of US-ASCII code of printable characters ( 0x20-0x7E ).
Figure from https://blog.csdn.net/qq_38769551/article/details/101459811

Since the URL or HTTP protocol, printable characters in this range, there are some characters can not be used in the URL. So we used the URL encoding schemes encode them so that secure transmission via HTTP.
URL encoding generally "%" as a prefix, to keep up with this character hexadecimal code ASCAII behind.
Common code characters:

• % 3d =
• %25 %
• 20% space
• % 0a new line
• % 00 null bytes

When the infiltrators submit an HTTP request parameters must be URL encoded in more characters.

Unicode encoding

Character is written to support the systems in use worldwide, and the design of the character encoding standard.

• UTF-16: In "% u" as a prefix, to keep the Unicode code point hexadecimal characters
• UTF-8: is a variable length coding standard that uses one or several bytes of each character. ** to "%" ** as a prefix, each byte hexadecimal.

Use Unicode encoding attack to destroy acknowledgment mechanism.

HTML coding

HTML coding is used to represent a character issue incorporated into an HTML document security program. Many special characters are used to define the structure of the document rather than the content, for safe use, so its HTML coding.
HTML coding defines a number of HTML entities to represent literal characters, for example:

"  "
'  '
&   &
&lt;    <
&gt;    >

In addition, any character can be both HTML coding in hexadecimal and decimal ASCII code, for example,

//十进制
"     "
'     '

//十六进制
4     "
9     '

HTML coding used to probe cross-site scripting attacks

Base64 encoding

Printable ASCII code only can represent any binary data.
Accessories for encoding the message, the user authentication mechanism may also be used in the user certificate encoding.
Base64 converts the input data into blocks of three bytes, each block is divided into four segments, each segment 6 data bits. 2 ^ 6 = 64, so each segment 64 permutations. Thus each segment can be expressed by a set of 64 characters.
If the input data is not the last block segment composed of 3, to use one or two "=" complement number.

Hex-encoded

Many programs directly using hexadecimal encoding binary data transmission. Hexadecimal data blocks with ASCII characters.

Finally, if you want codec Baidu has a lot of self-searching.

The next chapter

Previous article on the web application basis for learning, began to study how to penetration attacks following
the next chapter to learn the target application, function, working principle, defense mechanisms and techniques used.
which isAnalytical applications。