Full Disclosure mailing list archives
Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
From: Prasad Shenoy <prasad.shenoy () gmail com>
Date: Thu, 4 Jun 2009 19:22:03 -0400
Has %uff1c %uff1e become very common? I have found a few places where these are still exploitable. Sometime in the coming week I will post my observation from one particular encounter of this vulnerability to get some responses on what, why and how it is happening. This email gave a good head start..... Cheers, Prasad Shenoy On Thu, Jun 4, 2009 at 6:10 PM, Arian J. Evans <arian.evans () anachronic com>wrote:
Hello 3APA3A -- Remember this thread you started 2 years ago? Long Time no discussion on this topic... :) Turns out you were spot-on. We verified six different variants of this. Jeremiah Grossman published details on his blog: http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html It is important to note that when you read the number counts that say: 11 exploitable XSS in 8 websites: %u00ABscript%u00BB The count of "11" is "11 /path/ locations or forms in a web application", not "11 vulnerable inputs". The location might be a .cgi or a servlet, with 1 or dozens of inputs in that same location that are all "vulnerable" to the same attack technique. (We call the individual inputs "attack vectors" instead of "vulnerabilities" to help people group them and make them more actionable. e.g.-people usually don't go fix one input, but instead fix the CGI, servlet, form-input/request-handler and all the associated inputs at once. So reporting each input individually doesn't provide any benefit besides make reports bigger.) Anyway, there are many more of these kind of false-familiar/transliteral transcoding and canonicalization issues. I will continue to feed anything interesting to Jeremiah and it will probably wind up on his blog. Thanks again for opening my mind up to some new angles for filter-evasion tricks! :) ciao -- Arian Evans I invest most of my money in motorcycles, mistresses, and martinis. The rest of it I squander. On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <arian () anachronic com> wrote:I'll let you know if this hits. I am running this test currently on about600 + sites.-ae On 5/22/07, 3APA3A < 3APA3A () security nnov ru> wrote:Dear full-disclosure () lists grok org uk, By the way: I saw Unicode Left Pointing Double Angel Quotation Mark (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark (%u00BB) are sometimes translated to '<' and '>'. Does somebody experimented with %u00ABscript%u00BB in different environments to bypass filtering in this way? -- http://securityvulns.com/ /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (TheBeatles)+-------------o66o--+ / |/---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-- Thought for the day - "Emails can hurt feelings. If this one did, please ignore your feelings."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Prasad Shenoy (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Thierry Zoller (Jun 05)
- Re: [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Chris Weber (Jun 05)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 06)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Chris Weber (Jun 05)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Prasad Shenoy (Jun 04)
- Message not available
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 06)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Chris Weber (Jun 07)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 07)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 06)