c++ Generic space filtering exploit prevention
up vote
-4
down vote
favorite
so currently I am making a game that has the functionality to grab specific info from the host site. The issue is I am not sure if exploiters could get around my space check (which would let exploiters change header data), Here is my check currently in c++
char* siteaccess = aaa.get();
for (size_t i = 0; i < aaa.length(); ++i)
{
if (aaa[i] != ' ')
*siteaccess = aaa[i];
siteaccess++;
currently I could not bypass the check myself so I think I am safe. But I am also a novice at c++ so I believe there is a way around it. I would like to figure out any potential workarounds before my game goes public, If this can be exploited please provide an example(this will help me fix it). Thanks!
c++ url whitespace
asked Nov 9 at 0:06
taxiphone9237
32
add a comment |
up vote
-4
down vote
favorite
so currently I am making a game that has the functionality to grab specific info from the host site. The issue is I am not sure if exploiters could get around my space check (which would let exploiters change header data), Here is my check currently in c++
char* siteaccess = aaa.get();
for (size_t i = 0; i < aaa.length(); ++i)
{
if (aaa[i] != ' ')
*siteaccess = aaa[i];
siteaccess++;
currently I could not bypass the check myself so I think I am safe. But I am also a novice at c++ so I believe there is a way around it. I would like to figure out any potential workarounds before my game goes public, If this can be exploited please provide an example(this will help me fix it). Thanks!
c++ url whitespace
asked Nov 9 at 0:06
taxiphone9237
32
Please clarify exactly what you want to achieve. It looks like you are trying to modify a string based on white-spaces?
– Henning Koehler
Nov 9 at 0:14
to Henning Koehler: I am modifying the string the user provides that makes a GET request to the url. The goal is that the user cannot make their url "example.com HTTP/1.1" and will get filtered to "example.comhttp/1.1" removing the space. This way the user cannot continue the rest of the request and modify headers, etc. because it will just 404 the request.
– taxiphone9237
Nov 9 at 0:19
add a comment |
up vote
-4
down vote
favorite
up vote
-4
down vote
favorite
so currently I am making a game that has the functionality to grab specific info from the host site. The issue is I am not sure if exploiters could get around my space check (which would let exploiters change header data), Here is my check currently in c++
char* siteaccess = aaa.get();
for (size_t i = 0; i < aaa.length(); ++i)
{
if (aaa[i] != ' ')
*siteaccess = aaa[i];
siteaccess++;
currently I could not bypass the check myself so I think I am safe. But I am also a novice at c++ so I believe there is a way around it. I would like to figure out any potential workarounds before my game goes public, If this can be exploited please provide an example(this will help me fix it). Thanks!
c++ url whitespace
asked Nov 9 at 0:06
taxiphone9237
32
so currently I am making a game that has the functionality to grab specific info from the host site. The issue is I am not sure if exploiters could get around my space check (which would let exploiters change header data), Here is my check currently in c++
char* siteaccess = aaa.get();
for (size_t i = 0; i < aaa.length(); ++i)
{
if (aaa[i] != ' ')
*siteaccess = aaa[i];
siteaccess++;
currently I could not bypass the check myself so I think I am safe. But I am also a novice at c++ so I believe there is a way around it. I would like to figure out any potential workarounds before my game goes public, If this can be exploited please provide an example(this will help me fix it). Thanks!
c++ url whitespace
c++ url whitespace
asked Nov 9 at 0:06
taxiphone9237
32
asked Nov 9 at 0:06
taxiphone9237
32
asked Nov 9 at 0:06
taxiphone9237
32
asked Nov 9 at 0:06
taxiphone9237
32
asked Nov 9 at 0:06
taxiphone9237
32
32
Please clarify exactly what you want to achieve. It looks like you are trying to modify a string based on white-spaces?
– Henning Koehler
Nov 9 at 0:14
to Henning Koehler: I am modifying the string the user provides that makes a GET request to the url. The goal is that the user cannot make their url "example.com HTTP/1.1" and will get filtered to "example.comhttp/1.1" removing the space. This way the user cannot continue the rest of the request and modify headers, etc. because it will just 404 the request.
– taxiphone9237
Nov 9 at 0:19
add a comment |
Please clarify exactly what you want to achieve. It looks like you are trying to modify a string based on white-spaces?
– Henning Koehler
Nov 9 at 0:14
to Henning Koehler: I am modifying the string the user provides that makes a GET request to the url. The goal is that the user cannot make their url "example.com HTTP/1.1" and will get filtered to "example.comhttp/1.1" removing the space. This way the user cannot continue the rest of the request and modify headers, etc. because it will just 404 the request.
– taxiphone9237
Nov 9 at 0:19
Please clarify exactly what you want to achieve. It looks like you are trying to modify a string based on white-spaces?
– Henning Koehler
Nov 9 at 0:14
Please clarify exactly what you want to achieve. It looks like you are trying to modify a string based on white-spaces?
– Henning Koehler
Nov 9 at 0:14
to Henning Koehler: I am modifying the string the user provides that makes a GET request to the url. The goal is that the user cannot make their url "example.com HTTP/1.1" and will get filtered to "example.comhttp/1.1" removing the space. This way the user cannot continue the rest of the request and modify headers, etc. because it will just 404 the request.
– taxiphone9237
Nov 9 at 0:19
to Henning Koehler: I am modifying the string the user provides that makes a GET request to the url. The goal is that the user cannot make their url "example.com HTTP/1.1" and will get filtered to "example.comhttp/1.1" removing the space. This way the user cannot continue the rest of the request and modify headers, etc. because it will just 404 the request.
– taxiphone9237
Nov 9 at 0:19
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
It looks like your issue is not so much with bypassing your space-removal check in c++ (they cannot), but about finding a string without spaces that stuffs up your get request.
I'm not too familiar with code injection for GET requests, but my suggestion would be to use a library for building your request, as manually fiddling with it is very likely to leave you open to exploits. E.g. a tab character might have the same effect as a white-space?
answered Nov 9 at 0:27
Henning Koehler
1,102610
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
It looks like your issue is not so much with bypassing your space-removal check in c++ (they cannot), but about finding a string without spaces that stuffs up your get request.
I'm not too familiar with code injection for GET requests, but my suggestion would be to use a library for building your request, as manually fiddling with it is very likely to leave you open to exploits. E.g. a tab character might have the same effect as a white-space?
answered Nov 9 at 0:27
Henning Koehler
1,102610
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
add a comment |
up vote
0
down vote
accepted
It looks like your issue is not so much with bypassing your space-removal check in c++ (they cannot), but about finding a string without spaces that stuffs up your get request.
I'm not too familiar with code injection for GET requests, but my suggestion would be to use a library for building your request, as manually fiddling with it is very likely to leave you open to exploits. E.g. a tab character might have the same effect as a white-space?
answered Nov 9 at 0:27
Henning Koehler
1,102610
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
add a comment |
up vote
0
down vote
accepted
up vote
0
down vote
accepted
It looks like your issue is not so much with bypassing your space-removal check in c++ (they cannot), but about finding a string without spaces that stuffs up your get request.
I'm not too familiar with code injection for GET requests, but my suggestion would be to use a library for building your request, as manually fiddling with it is very likely to leave you open to exploits. E.g. a tab character might have the same effect as a white-space?
answered Nov 9 at 0:27
Henning Koehler
1,102610
It looks like your issue is not so much with bypassing your space-removal check in c++ (they cannot), but about finding a string without spaces that stuffs up your get request.
I'm not too familiar with code injection for GET requests, but my suggestion would be to use a library for building your request, as manually fiddling with it is very likely to leave you open to exploits. E.g. a tab character might have the same effect as a white-space?
answered Nov 9 at 0:27
Henning Koehler
1,102610
answered Nov 9 at 0:27
Henning Koehler
1,102610
answered Nov 9 at 0:27
Henning Koehler
1,102610
answered Nov 9 at 0:27
Henning Koehler
1,102610
1,102610
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
add a comment |
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
thank you for the fast reply. I am glad that the check is not vulnerable to any bypasses/exploits.
– taxiphone9237
Nov 9 at 0:31
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53217986%2fc-generic-space-filtering-exploit-prevention%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Please clarify exactly what you want to achieve. It looks like you are trying to modify a string based on white-spaces?
– Henning Koehler
Nov 9 at 0:14
to Henning Koehler: I am modifying the string the user provides that makes a GET request to the url. The goal is that the user cannot make their url "example.com HTTP/1.1" and will get filtered to "example.comhttp/1.1" removing the space. This way the user cannot continue the rest of the request and modify headers, etc. because it will just 404 the request.
– taxiphone9237
Nov 9 at 0:19