[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
- To: "'Thierry Zoller'" <Thierry@xxxxxxxxx>, "'Arian J. Evans'" <arian.evans@xxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
- From: "Chris Weber" <chris@xxxxxxxxxxxxx>
- Date: Fri, 05 Jun 2009 09:34:34 -0700
Sorta, kinda, not really. From the outside looking in, the inputs can help
us understand what's happening under the covers:
1. Some Java, .Net, ICU API is performing string Normalization
2. Some API or data handoff (e.g. from IIS front-end to Oracle db) is
performing an (otherwise unintended) best-fit mapping
3. Some developer chose to do transform strings in a custom way
White Hat's in a good position to go to these customers, ask them if they
can peek at the code, and gather information about which frameworks API's
they were using, and how they were calling them. That's what I'd do with
this information. Although, we already know how most of the major
frameworks behave.
Chris
-----Original Message-----
From: Thierry Zoller [mailto:Thierry@xxxxxxxxx]
Sent: Friday, June 05, 2009 1:43 AM
To: Arian J. Evans
Cc: Prasad Shenoy; Full-Disclosure; 3APA3A; websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] Re[2]: [Full-disclosure] [WEB SECURITY] Unicode
Left/Right Pointing Double Angel Quotation Mark bypass?
Hi,
AJE> We have seen 44 sites in the last year at WhiteHat Security that were
AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be
AJE> more ubiquitous than others when you find it. In the applications weak
AJE> to this -- we found roughly 200 locations vulnerable to attack in
AJE> those 44 applications, and each location would have multiple inputs,
AJE> so you are probably talking 1,000+ inputs vulnerable to attack using
AJE> this encoding.
The discussion of how many inputs are vulnerable is kind of
ludicrous isn't it? As it nearly always boils down to the same set of
impacts
even if you have a trillion of inputs vulnerable, per domain.
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/