Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Derek Fawcus dfawcus+lists-ukcrypto at
Wed Aug 4 20:58:56 BST 2010

On Wed, Aug 04, 2010 at 12:01:22PM +0100, Nicholas Bohm wrote:
> That suggests to me that entering a URL designed to exploit a weakness
> in order to get "behind" the root of a server for a particular site is
> doing something very different from truncating a URL in order to explore
> a site.  I can much more easily see why it might be concluded a
> particular user knew it was unauthorised.

But is it designed to exploit a weakness,  or is it simply a convenient shortcut?

Depending upon browser, client OS,  and server,  going up the tree can be achieved by:

  1) Append '../'
  2) Use backspace/delete to remove the characters at the tail of the URL
  3) Use the mouse to sweep out (select) the the tail of the URL,  then press backspace/delete.
  4) Some combination of double/triple click on the last component to select it,  then backspace/delete.

Of these,  when available 4 is the easiest,  followed by 1.

I can use 4 in firebox (or safari) on a mac,  but the 'word' selected will only include alphanumeric chars.

I have to use one of the other methods in firefox on Linux.
Of those,  2 or 3 would be used to remove a terminal 'file' part,  then one of 1-3 for each
directory component,  with method 1 being the easiest/fastest.

Then if one is appending a bunch of '../' strings,  it would be easy to unintentionally ascend too high.

More information about the ukcrypto mailing list