[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?



Sorta, kinda, not really.  From the outside looking in, the inputs can help
us understand what's happening under the covers:

1. Some Java, .Net, ICU API is performing string Normalization
2. Some API or data handoff (e.g. from IIS front-end to Oracle db) is
performing an (otherwise unintended) best-fit mapping
3. Some developer chose to do transform strings in a custom way

White Hat's in a good position to go to these customers, ask them if they
can peek at the code, and gather information about which frameworks API's
they were using, and how they were calling them.  That's what I'd do with
this information.  Although, we already know how most of the major
frameworks behave.

Chris


-----Original Message-----
From: Thierry Zoller [mailto:Thierry@xxxxxxxxx] 
Sent: Friday, June 05, 2009 1:43 AM
To: Arian J. Evans
Cc: Prasad Shenoy; Full-Disclosure; 3APA3A; websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Re[2]: [Full-disclosure] [WEB SECURITY] Unicode
Left/Right Pointing Double Angel Quotation Mark bypass?

Hi,

AJE> We have seen 44 sites in the last year at WhiteHat Security that were
AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be
AJE> more ubiquitous than others when you find it. In the applications weak
AJE> to this -- we found roughly 200 locations vulnerable to attack in
AJE> those 44 applications, and each location would have multiple inputs,
AJE> so you are probably talking 1,000+ inputs vulnerable to attack using
AJE> this encoding.

The   discussion   of   how  many  inputs  are  vulnerable  is kind of
ludicrous isn't it? As it nearly always boils down to the same set of
impacts
even if you have a trillion of inputs vulnerable, per domain.


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/