Shulou(Shulou.com)05/31 Report--

This article focuses on "what is the URL structure of Web security". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what is the URL structure of Web security"?

1. Percent coding

Before introducing percent coding, you also need to know which characters URL needs to encode.

According to the RFC3986 document, only four special characters, such as letters (axiz, Abacz), numbers (0,9), "-" _ "." ~ ", and all reserved characters are allowed in URL.

The so-called reserved characters are the characters that divide URL and separate different components.

Percent coding is very simple, using the percent sign (%) plus two characters (0123456789ABCDEF) as an one-byte hexadecimal form. The default character set for URL encoding is ASCII. For example, the hex corresponding to the pound sign (#) is 0x23, so its URL code is% 23. For non-ASCII characters, you need to encode the corresponding bytes using a superset of the ASCII character set, and then encode each byte with a percent sign.

2. URL parsing

The browser encodes the URL before transmission. The server that receives the URL is mainly responsible for parsing the received URL. In the process of using URL, because most of the web pages on the Internet refer to files on the same server or even in the same directory, the concept of relative URL will be used. When introducing URL coding, it shows the absolute URL, which is equivalent to the difference between the relative path and the absolute path in the computer. So when parsing, the server needs to distinguish between relative URL and absolute URL.

According to the specification, it is very easy to distinguish between the two. If the URL string is not a valid protocol name followed by a colon (:) or double slash (/ /), then it is a relative URL that needs to be referenced. In fact, in practical application, there is a standard for the parsing of relative URL, because the specific implementation of different browsers varies, the character set of valid protocol names varies, and there are various methods to replace the double slash (/ /) separator. Therefore, the relative URL parsing will be classified next.

(1) there is a protocol name, but no authorization information (http:abc.txt). This is a well-known vulnerability that is caused by the negligence of the RFC3986 specification. These addresses are described as invalid absolute addresses in the specification, but the resolution of such addresses is mistaken in the parsing algorithm provided. So this form of URL will be understood as a relative address during execution. For example, in some cases, http:abc.txt is understood as a relative address, while https:example.com is interpreted as an absolute address.

(2) No protocol name, but authorization information (/ / example.com). This writing method gives a more complete treatment in the specification. Faced with this kind of URL, the browser will automatically complete the URL.

(3) there is no protocol name, no authorization information, but a path (.. / robots.txt). This is a common use in which the protocol and authorization information are copied from the reference URL and the relative address is completed.

(4) No protocol name, no authorization information, no path, but a query string (? username=abc). In this case, the protocol, authorization information, and path are all copied intact from the original reference URL. The query string and field ID come from the relative URL.

(5) only the fragment ID (# bunnies). The same is true in this way, where all the other parts are copied intact from the original reference URL, replacing only part of the field ID.

At this point, I believe you have a deeper understanding of "what is the URL structure of Web security". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.