Usernames with .bat/.exe in the URL - alternative

Question

I am working with a URL which takes in the username for a GET call. Ex: https://example.com/details/< username >

However, if the username contains ".bat" or ".exe" (ex: mm.baty - https://example.com/details/mm.baty), there might be some security issues.

What are some suggestions for sending the username through the URL, without compromising the security issues.

Thank you for your help!

What are the security issues that you are worried about? – Bart Friederichs Aug 12 '19 at 18:24 — Bart Friederichs, Aug 12 '19 at 18:24

roshnet · Answer 1 · 2019-12-24T14:56:38.813

0

Assuming you're using query parameters (say /?username=userone), anyone can modify the value and enter some malicious values as parameter.

You can implement a regex pattern that checks the params for potentially malicious values, and deal with the response accordingly.

edited Dec 24 '19 at 14:56

answered Aug 13 '19 at 12:09

roshnet

1 Answers1