Table of Contents
Meta characters are non-printable and printable characters, which affect the behavior of programming language commands, operating system commands, individual program procedures and database queries. Meta-Characters can be encoded in non-obvious ways, so canonicalization of data (conversion to a common character set) before stripping meta-characters is essential.
Example meta-characters and typical uses can be found below.
| [ ; ] Semicolons for additional command-execution |
| [ | ] Pipes for command-execution |
| [ ! ] Call signs for command-execution |
| [ & ] Used for command-execution |
| [ x20 ] Spaces for faking urls and other names (especial in URLs!) |
| [ x00 ] Nullbytes for truncating strings and filenames |
| [ x04 ] EOT for faking file ends |
| [ x0a ] New lines for additional command-execution |
| [ x0d ] New lines for additional command-execution |
| [ x1b ] Escape |
| [ x08 ] Backspace |
| [ x7f ] Delete |
| [ ~ ] Tildes |
| [ ' " ] Quotation marks (often in combination with database-queries) |
| [ - ] in combination with database-queries and creation of negative numbers |
| [ *% ] used in combination with database-queries |
| [ ` ] Backticks for command execution |
| [ /\ ] Slashes and Backslashes for faking paths and queries |
| [ <> ] LTs and GTs for file-operations |
| [ <> ] for creating script-language related TAGS within documents on webservers! |
| [ ? ] Programming/scripting- language related |
| [ $ ] Programming/scripting- language related |
| [ @ ] Programming/scripting- language related |
| [ : ] Programming/scripting- language related |
| [ ({[]}) ] Programming/scripting/regex and language-related |
| [../] two dots and a slash or backslash - for faking filesystem paths |
There are very few reasons why these characters should form legitimate input to web applications. The following sections describe in more detail some of the ways in which they are used to mount attacks on both systems and users.