Re: [WEB SECURITY] noise about full-width encoding bypass?

["Arian J. Evans" <arian.evans () anachronic com>]

On 5/22/07, Amit Klein <aksecurity () gmail com> wrote:
> Brian Eaton wrote:
> > Has anyone had a look at the full-width unicode encoding trick
> > discussed here?
> >
> > http://www.kb.cert.org/vuls/id/739224
> >
>
> BTW - why is this news? it has been known for long:


I think the problem here is network security folks don't understand this
stuff at all.

IDS evasion is the stuff of "landmark" papers, from the paper Thomas Ptacek
and co did on packet fragmentation and re-assembly work, to K2's polymorphic
shell-code:

http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

So there are 31 flavors of encoding types validly used by web apps using
HTTP that may or may not get interpreted, converted, or canonicalized to
ASCII or some form that a parser will execute.

We know that, and discuss it ad naseum on the WASC list, but I'm not sure
that the average Joe running an IDS understands just how limited that IDS or
firewall (with "application smart defense", etc.) may be with its "tcp
stream reassembly and HTTP decoding" capabilities.

Hence the wonky cert advisory, basically: "OMG! all valid encoding types not
decoded by IDS!!! Who knew ?!?"

So, in short Amit: It is new news to some folks, I think, probably a lot of
folks (the majority of the IT and even infosec professional population not
subscribing to these lists).

There is no God Master Guide to Encoding Ninjitsu for Web Attacksters handy
for folks to quick reference this rather complex subject, either...

--
Arian Evans
scrutinizing shameless software insecurity

"Diplomacy is the art of saying "Nice doggie" until you can find a rock." --
Will Rogers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/