[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
- To: Chris Weber <chris@xxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
- From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
- Date: Sat, 6 Jun 2009 18:39:55 -0700
On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<chris@xxxxxxxxxxxxx> wrote:
> Your discussion point #2 seems to digress, talking about the confusables and
> lookalikes don't seem to lend to the original subject. Unless, you're
> suggesting that they somehow add to the canonicalization of strings that
> White Hat is seeing?
Yes, that is exactly what I am saying.
It is much easier to inject a CAST or a SELECT past a blacklist if
there are multiple characters canonicalized to As and Es in the
application.
And the same goes for things like double-quotes. Many (most?) language
character sets have confusables and false-familiars with U000/001
Unicode, and Latin/ASCII, and sometimes they are canonicalized as
such.
I have nothing that tells me, when I see a character conversion, if it
is a "best fit" mapping or an attempt to canonicalize confusables or
avoid name collision. So I put them all in the same bucket in terms of
security measurement/classification.
A developer using unicode would probably not put them in the same bucket.
-ae
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/