Menu
I know that the double quote character is not allowed in the url and it is encoded as %22 and this is done with utf-8 encoding . But what happens if i build a browser which does not perform url encoding and queries with the double quotes itself as it is permitted in the utf-8 encoding scheme. for example: www.google.com/"a". Moreover what would happen to the url parsing script in the server when it encounters a double quote?
477
asked Apr 12 '14 22:04
Show activity on this post. I know that the double quote character is not allowed in the url and it is encoded as %22 and this is done with utf-8 encoding .
A space is assigned number 32, which is 20 in hexadecimal. When you see “%20,” it represents a space in an encoded URL, for example, http://www.example.com/products%20and%20services.html.
Since you're passing invalid URI to the server, the server may respond with HTTP 400 Bad Request status, but may not. Different servers have different behavior on this. For example, the Apache 2.4 servers responds with 403 Forbidden. It seems they recognize it as attempt of SQL-injection and suppress it immediately. The nginx servers responds with 404 Not Found.
You don't need to build a browser which doesn't perform URL encoding to check. You can perform this query from simple telnet program which goes as a part of most operating systems (but may not be installed by default). If it's installed, you just need to execute telnet www.google.com 80 in terminal window, paste following 2 lines:
GET /"a" HTTP/1.1
Host: www.google.com
and press Enter twice. You will get response with 404 Not Found. If you do the same with stackoverflow.com the response will be 400 Bad Request.
154
answered Oct 09 '22 12:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With