Full Disclosure mailing list archives
Re: [WEB SECURITY] noise about full-width encoding bypass?
From: Amit Klein <aksecurity () gmail com>
Date: Tue, 22 May 2007 19:08:03 +0200
Brian Eaton wrote:
Has anyone had a look at the full-width unicode encoding trick discussed here? http://www.kb.cert.org/vuls/id/739224
BTW - why is this news? it has been known for long: The trick at large was discussed in "IDS Evasion with Unicode" (by Eric Hacker) which dates back to 2001 (http://www.securityfocus.com/infocus/1232): <http://www.securityfocus.com/infocus/1232> Another way that Unicode can cause problems is that the application or operation system can assign the same interpretation to different code points. Thus, even though the Unicode specification dictates that the code points should be treated differently, the application actually treats them the same. I tested IIS on Windows 2000 Advanced Server (English) and found that it was very good at exhibiting this behavior. For example, here is a list of the various code points that resolved to the capital letter "A": U+0041, U+0100, U+0102, U+0104, U+01CD, U+01DE, U+8721. And the full-width Unicode range and its applicability to bypassing a specific security mechanism (ASP.NET's XSS protection and Request Validation mechanisms) was explicitly discussed in a post to BugTraq titled "XSS vulnerabilty in ASP.Net [with details] <http://www.securityfocus.com/archive/1/390751/30/0/threaded>" by Andrey Rusyaev which dates back to 2005 (http://www.securityfocus.com/archive/1/390751): In specific conditions the cross-site scripting attack (XSS) [1] are possible on web site under management ASP.Net, because used a wrong filtration of special HTML characters. Attack exploits vulnerability of mechanism of converting Unicode strings [2] to national ASCII codepages. The basic problem arises from the lack of a filtration of special HTML characters in range U+ff00-U+ff60 (fullwidth ASCII characters [3]). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: noise about full-width encoding bypass?, (continued)
- Re: noise about full-width encoding bypass? Steven Adair (May 21)
- Re: noise about full-width encoding bypass? Valdis . Kletnieks (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 22)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Chris Weber (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? ascii (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Brian Eaton (May 22)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)