WebApp Sec mailing list archives
RE: Extended ASCII characters used for injection
From: "Richard M. Smith" <Richard.M.Smith () bsf-llc com>
Date: Thu, 21 Oct 2010 14:32:03 -0400
The statement from www.w3schools.com simply raises more questions in my mind than it answers: 1. What does server-side software such as Apache, IIS, PHP, etc. do if they receive an HTTP request with a URL that contains a character in the range 0x7F to 0xFF? 2. Will any of the popular Web browsers ever make an HTTP request with a URL that contains a character in the range 0x7F to 0xFF? 3. For that matter, are characters in the range 0x7F and 0xFF invalid in all HTTP headers? 4. A related question: How do various server-side software packages handle invalid UTF-8 multi-byte sequences in HTTP headers and bodies? I believe that these questions would be best answered with an extensive test suite. Perhaps one already exists. Richard -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Linden Darling Sent: Wednesday, October 20, 2010 11:56 PM To: Nibbler Cc: webappsec () securityfocus com Subject: RE: Extended ASCII characters used for injection Assuming you mean "block these characters AFTER they've been decoded from legitimate URI characters"...otherwise: http://www.w3schools.com/TAGS/ref_urlencode.asp "URLs can only be sent over the Internet using the ASCII character-set. Since URLs often contains characters outside the ASCII set, the URL has to be converted. URL encoding converts the URL into a valid ASCII format. URL encoding replaces unsafe ASCII characters with "%" followed by two hexadecimal digits corresponding to the character values in the ISO-8859-1 character-set." http://en.wikipedia.org/wiki/Percent-encoding "Percent-encoding a reserved character involves converting the character to its corresponding byte value in ASCII and then representing that value as a pair of hexadecimal digits. The digits, preceded by a percent sign ("%"), are then used in the URI in place of the reserved character. (For a non-ASCII character, it is typically converted to its byte sequence in UTF-8, and then each byte value is represented as above." In line with Jeff's response below, if some part of the decoded URI is used within a SQL statement, for instance, then there can be problem situations such as with Big5 characters that can be used for SQL Injection purposes. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jeff Williams Sent: Thursday, 21 October 2010 2:32 PM To: Chris Weber Cc: Nibbler; <webappsec () securityfocus com> Subject: Re: Extended ASCII characters used for injection What platform are you using? It really makes a difference in how Unicode is handled. --Jeff On Oct 20, 2010, at 2:29 AM, "Chris Weber" <chris () casabasecurity com> wrote:
You'd be blocking legitimate usage of many different character
encodings
including UTF-8 and ISO-8859-1 if you blocked 0x77 - 0xff. -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On
Behalf Of Nibbler Sent: Tuesday, October 19, 2010 6:06 AM To: webappsec () securityfocus com Subject: Extended ASCII characters used for injection Hi list, I have a web app and I want to block special characters in URL on the web server. Do you know if there is a risk of injection (XSS...) with extended ASCII char (%7f-%ff)? Is there any reason to block these characters? Thanks Regards, Nib This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Extended ASCII characters used for injection Nibbler (Oct 19)
- Re: Extended ASCII characters used for injection Mostafa Siraj (Oct 19)
- RE: Extended ASCII characters used for injection Onken, Skyler (Oct 19)
- Re: Extended ASCII characters used for injection Simon XanthiX (Oct 19)
- Re: Extended ASCII characters used for injection john s (Oct 19)
- RE: Extended ASCII characters used for injection Chris Weber (Oct 20)
- Re: Extended ASCII characters used for injection Jeff Williams (Oct 20)
- RE: Extended ASCII characters used for injection Linden Darling (Oct 20)
- RE: Extended ASCII characters used for injection Richard M. Smith (Oct 25)
- Re: Extended ASCII characters used for injection john s (Oct 25)
- RE: Extended ASCII characters used for injection Chris Weber (Oct 25)
- Re: Extended ASCII characters used for injection john s (Oct 25)
- Re: Extended ASCII characters used for injection Jeff Williams (Oct 20)