Full Disclosure mailing list archives
Re: [WEB SECURITY] Re: noise about full-width encoding bypass?
From: "Chris Weber" <chris () mail casabasec com>
Date: Mon, 21 May 2007 12:24:51 -0700
Hold up a second folks, you're telling this list now that ASP.NET will decompose various character sets like those containing your full-width single quote, into it's ASCII equivalent. Brian I think you should've stuck to your original story because I'm almost certain this is completely untrue. If it were true then we'd have some dire state of emergency on our hands no? Compatibility decomposition and canonical composition are a function of the Unicode normalization forms in use (http://unicode.org/reports/tr15/). *In particular, forms KD and KC would do what you're saying, but those aren't commonly in use afaik. Developers should be very cautious when normalizing to these forms. If you've managed to find some specific ASP.NET classes which normalize to problematic forms KD/KC then you should let us know, but just saying all of ASP.NET does this would be a huge stretch. The framework supports all four normalization methods (http://msdn2.microsoft.com/en-us/winfx/system.string.aspx) and it's up to developers to implement the ones they need. ---------- Original Message ----------- From: ascii <ascii () katamail com> To: Brian Eaton <eaton.lists () gmail com> Cc: Web Security <websecurity () webappsec org>, Full-Disclosure <full-disclosure () lists grok org uk> Sent: Mon, 21 May 2007 23:01:26 +0200 Subject: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Brian Eaton wrote:To summarize what I've heard from various sources: I am missing something important. =) Both PHP and ASP.NET will decode these characters into their ASCII equivalents.(AFAIK) Only ASP.NET/IIS decodes that automatically. PHP *can* do that as like JSP and probably others but that has to happen explicitly in the application code or on an other layer. Regards, Francesco `ascii` Ongaro http://www.ush.it/ ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
------- End of Original Message ------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 21)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 22)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? ascii (May 21)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)
- Re: noise about full-width encoding bypass? Steven Adair (May 21)
- Re: noise about full-width encoding bypass? Valdis . Kletnieks (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 22)
- Re: noise about full-width encoding bypass? ascii (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Chris Weber (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? ascii (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Brian Eaton (May 22)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)