Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
Derek Fawcus
dfawcus+lists-ukcrypto at employees.org
Wed Aug 4 20:58:56 BST 2010
On Wed, Aug 04, 2010 at 12:01:22PM +0100, Nicholas Bohm wrote:
>
> That suggests to me that entering a URL designed to exploit a weakness
> in order to get "behind" the root of a server for a particular site is
> doing something very different from truncating a URL in order to explore
> a site. I can much more easily see why it might be concluded a
> particular user knew it was unauthorised.
But is it designed to exploit a weakness, or is it simply a convenient shortcut?
Depending upon browser, client OS, and server, going up the tree can be achieved by:
1) Append '../'
2) Use backspace/delete to remove the characters at the tail of the URL
3) Use the mouse to sweep out (select) the the tail of the URL, then press backspace/delete.
4) Some combination of double/triple click on the last component to select it, then backspace/delete.
Of these, when available 4 is the easiest, followed by 1.
I can use 4 in firebox (or safari) on a mac, but the 'word' selected will only include alphanumeric chars.
I have to use one of the other methods in firefox on Linux.
Of those, 2 or 3 would be used to remove a terminal 'file' part, then one of 1-3 for each
directory component, with method 1 being the easiest/fastest.
Then if one is appending a bunch of '../' strings, it would be easy to unintentionally ascend too high.
More information about the ukcrypto
mailing list