Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mastodon.social/users/ekis/statuses/111589746277377515">she hacked you (ekis@mastodon.social)'s status on Wednesday, 18-Dec-2024 16:53:17 JST</a><a href="https://mastodon.social/@ekis" title="ekis@mastodon.social"><img src="https://gnusocial.jp/avatar/145267-48-20250301034018.webp" width="48" height="48" alt="she hacked you" style="position: absolute; left: 0; top: 0;">she hacked you</a></section><article><p>Don't have time for a banner grab but still interested in basic info about a server?</p><p>Well taking advantage of a server's inability to process '%' b/c it expects two hex digits to follow; in many cases it errors</p><p>Preventing this from happening is actually easy</p><p>It requires an essential secure programming principle: verify, validate, and sanitize your input</p><p>This principle should be applied to EVERY input, and yes the URL is input</p><p><a href="https://mastodon.social/tags/infosec" rel="tag">#infosec</a> <a href="https://mastodon.social/tags/security" rel="tag">#security</a> <a href="https://mastodon.social/tags/it" rel="tag">#it</a> <a href="https://mastodon.social/tags/sysadmin" rel="tag">#sysadmin</a> <a href="https://mastodon.social/tags/tech" rel="tag">#tech</a>  <a href="https://mastodon.social/tags/development" rel="tag">#development</a> <a href="https://mastodon.social/tags/programming" rel="tag">#programming</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4208746#notice-8225635">In conversation</a><time datetime="2024-12-18T16:53:17+09:00" title="Wednesday, 18-Dec-2024 16:53:17 JST">about 5 months ago</time> <span>from <span><a href="https://mastodon.social/@ekis/111589746277377515" rel="external" title="Sent from mastodon.social via ActivityPub">mastodon.social</a></span></span><a href="https://mastodon.social/@ekis/111589746277377515">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/3723605">Using /% you can generate an error on many servers, and when they have not bothered to hide information it can be revealing.</a></label><br><a href="https://files.mastodon.social/media_attachments/files/111/545/546/862/269/623/original/47c2ab6794524a6c.png" rel="external">https://files.mastodon.social/media_attachments/files/111/545/546/862/269/623/original/47c2ab6794524a6c.png</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
she hacked you (ekis@mastodon.social)'s status on Wednesday, 18-Dec-2024 16:53:17 JST she hacked you
Don't have time for a banner grab but still interested in basic info about a server?
Well taking advantage of a server's inability to process '%' b/c it expects two hex digits to follow; in many cases it errors
Preventing this from happening is actually easy
It requires an essential secure programming principle: verify, validate, and sanitize your input
This principle should be applied to EVERY input, and yes the URL is input
#infosec #security #it #sysadmin #tech #development #programming
In conversation5 months ago from mastodon.socialpermalink
Attachments
1. Using /% you can generate an error on many servers, and when they have not bothered to hide information it can be revealing.
  https://files.mastodon.social/media_attachments/files/111/545/546/862/269/623/original/47c2ab6794524a6c.png

Public

Embed Notice

HTML Code

Corresponding Notice