O'Reilly logo

The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition by Marcus Pinto, Dafydd Stuttard

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

General Guidelines

You should always keep in mind some general considerations when carrying out the detailed tasks involved in attacking a web application. These may apply to all the different areas you need to examine and techniques you need to carry out.

  • Remember that several characters have special meaning in different parts of the HTTP request. When you are modifying the data within requests, you should URL-encode these characters to ensure that they are interpreted in the way you intend:
    • & is used to separate parameters in the URL query string and message body. To insert a literal & character, you should encode this as %26.
    • = is used to separate the name and value of each parameter in the URL query string and message body. To insert a literal = character, you should encode this as %3d.
    • ? is used to mark the beginning of the URL query string. To insert a literal ? character, you should encode this as %3f.
    • A space is used to mark the end of the URL in the first line of requests and can indicate the end of a cookie value in the Cookie header. To insert a literal space, you should encode this as %20 or +.
    • Because + represents an encoded space, to insert a literal + character, you should encode this as %2b.
    • ; is used to separate individual cookies in the Cookie header. To insert a literal ; character, you should encode this as %3b.
    • # is used to mark the fragment identifier within the URL. If you enter this character into the URL within your browser, it effectively truncates the ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required