Time Nick Message 22:13 spaceone is it valid to have %0A (== \n) in the path of the HTTP request URI? → GET /foo%0Abar/ HTTP/1.1 22:13 spaceone ? 22:15 spaceone or is it restricted to the quoted chars of ":/?#@!$&'()*+,;=" plus A-Za-z0-9 22:19 fumanchu as long as it's escaped, it's valid 22:19 whartung ^^ 22:22 fumanchu the http URI scheme uses path-abempty for path segments, which consist of "segment" productions, which are composed of pchars 22:23 fumanchu pchar = unreserved / pct-encoded / sub-delims / ":" / "@" 22:23 fumanchu see section 3.3 (or Appendix A) of https://www.ietf.org/rfc/rfc3986.txt 22:23 spaceone yep, okay 23:08 pdurbin I'm hearing good things about https://www.owasp.org/index.php/REST_Security_Cheat_Sheet 23:09 whartung don't even get me started on encrypting stored data. 23:10 whartung funny: RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie. 23:11 whartung "Many web services are written to be as stateless as possible. This usually ends up with a state blob being sent as part of the transaction." 23:11 whartung That's not really what it means at all... 23:12 asdf` err, about this part: https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Insecure_direct_object_references 23:12 asdf` i'm not sure how either of these conclusions follow from the urls? 23:13 whartung it's kind of interesting. 23:13 whartung bsasically they'r esuggesting 23:13 whartung that if the URL is "all you need", then "anything can happen". 23:13 whartung the account xfer is a particularly good one. 23:15 whartung if you have payload (since it doesn't matter if it's a url or a payload, really), that says "xfer from acct 1234 to acct 4567" what's to stop it from being "from acct 1234 to acct 9876", and truth is probably nothing. However, "xfer from acct 3333 to 4567", that should likely be disallowed, since odds are the user has not rights to transfer from 3333, but just 1234. 23:15 whartung so the point is that you need to validate your data and check your rights. 23:15 whartung this is context based security, rather than access based security 23:15 whartung 99.9% of web security is URL based (can't they access teh endpoint at ALL) 23:16 whartung since it's mostly based on the old page model 23:16 whartung rather than what you can do with the data. 23:16 whartung this is something folks may not think about. 23:16 whartung mostly because it's a real pain to implement :) lol 23:17 asdf` depends on the stack you're using, of course 23:18 asdf` no, i get what they meant, it's just, it's written VERY badly; it doesn't even mention authorization 23:18 whartung has nothing to do with the stack. Contextual data access is a Hard Problem. Whatever help a stack may offer, doesn't really solve the problem. 23:18 asdf` instead, it mentions primary and foreign keys (???) 23:19 whartung yea, their point is to prevent fishing by not publishing keys. 23:34 fumanchu_ man, gzip could use an overhaul. null-terminated header strings, using EOF to detect the footer. ick.