Full Disclosure mailing list archives
Re: [WEB SECURITY] noise about full-width encoding bypass?
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Tue, 22 May 2007 10:05:45 -0700
On 5/22/07, Amit Klein <aksecurity () gmail com> wrote:
Brian Eaton wrote: > Has anyone had a look at the full-width unicode encoding trick > discussed here? > > http://www.kb.cert.org/vuls/id/739224 > BTW - why is this news? it has been known for long:
I think the problem here is network security folks don't understand this stuff at all. IDS evasion is the stuff of "landmark" papers, from the paper Thomas Ptacek and co did on packet fragmentation and re-assembly work, to K2's polymorphic shell-code: http://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques So there are 31 flavors of encoding types validly used by web apps using HTTP that may or may not get interpreted, converted, or canonicalized to ASCII or some form that a parser will execute. We know that, and discuss it ad naseum on the WASC list, but I'm not sure that the average Joe running an IDS understands just how limited that IDS or firewall (with "application smart defense", etc.) may be with its "tcp stream reassembly and HTTP decoding" capabilities. Hence the wonky cert advisory, basically: "OMG! all valid encoding types not decoded by IDS!!! Who knew ?!?" So, in short Amit: It is new news to some folks, I think, probably a lot of folks (the majority of the IT and even infosec professional population not subscribing to these lists). There is no God Master Guide to Encoding Ninjitsu for Web Attacksters handy for folks to quick reference this rather complex subject, either... -- Arian Evans scrutinizing shameless software insecurity "Diplomacy is the art of saying "Nice doggie" until you can find a rock." -- Will Rogers
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: noise about full-width encoding bypass?, (continued)
- Re: noise about full-width encoding bypass? Valdis . Kletnieks (May 21)
- Re: noise about full-width encoding bypass? 3APA3A (May 22)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Chris Weber (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? ascii (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Brian Eaton (May 22)
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 21)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 22)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Arian J. Evans (May 23)
- Re: [WEB SECURITY] noise about full-width encoding bypass? Amit Klein (May 23)
- Re: noise about full-width encoding bypass? Brian Eaton (May 21)