Full Disclosure mailing list archives
Re: [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
From: "Chris Weber" <chris () casabasec com>
Date: Fri, 05 Jun 2009 09:34:34 -0700
Sorta, kinda, not really. From the outside looking in, the inputs can help us understand what's happening under the covers: 1. Some Java, .Net, ICU API is performing string Normalization 2. Some API or data handoff (e.g. from IIS front-end to Oracle db) is performing an (otherwise unintended) best-fit mapping 3. Some developer chose to do transform strings in a custom way White Hat's in a good position to go to these customers, ask them if they can peek at the code, and gather information about which frameworks API's they were using, and how they were calling them. That's what I'd do with this information. Although, we already know how most of the major frameworks behave. Chris -----Original Message----- From: Thierry Zoller [mailto:Thierry () Zoller lu] Sent: Friday, June 05, 2009 1:43 AM To: Arian J. Evans Cc: Prasad Shenoy; Full-Disclosure; 3APA3A; websecurity () webappsec org Subject: [WEB SECURITY] Re[2]: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Hi, AJE> We have seen 44 sites in the last year at WhiteHat Security that were AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be AJE> more ubiquitous than others when you find it. In the applications weak AJE> to this -- we found roughly 200 locations vulnerable to attack in AJE> those 44 applications, and each location would have multiple inputs, AJE> so you are probably talking 1,000+ inputs vulnerable to attack using AJE> this encoding. The discussion of how many inputs are vulnerable is kind of ludicrous isn't it? As it nearly always boils down to the same set of impacts even if you have a trillion of inputs vulnerable, per domain. ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Prasad Shenoy (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Thierry Zoller (Jun 05)
- Re: [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Chris Weber (Jun 05)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 06)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Chris Weber (Jun 05)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 04)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Prasad Shenoy (Jun 04)
- Message not available
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 06)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Chris Weber (Jun 07)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 07)
- Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Arian J. Evans (Jun 06)