ehlo floyd.ch

As everything starts once, today it’s my blog. This blog is simply about IT Security stuff.

Today I was wondering how a web server reacts on an URI with a pound sign (#) in it. It took me about 3 hours to realise that it is not possible to send a pound sign with Firefox and WebScarab, even my first try with the perl library did not work. They’re just all too URI RFC 3986 compliant. But python’s urllib2 worked (not urllib)!

http://192.168.1.42:80/echoGetParameters.php?abc=123#ABC
http://192.168.1.42:8080/echoGetParameters.jsp?abc=123#ABC
http://192.168.1.43:80/echoGetParameters.aspx?abc=123#ABC

Findings: Apache and IIS simply ignore it and everything after it. Apache Tomcat interprets the pound sign as part of the last GET value.

If you want to try it yourself, use Wireshark to watch if the pound sign is really sent! I’m still thinking about an exploit…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.