Has %uff1c %uff1e become very common? I have found a few places where these are still exploitable. Sometime in the coming week I will post my observation from one particular encounter of this vulnerability to get some responses on what, why and how it is happening.
This email gave a good head start..... Cheers, Prasad Shenoy On Thu, Jun 4, 2009 at 6:10 PM, Arian J. Evans <[email protected]>wrote: > Hello 3APA3A -- Remember this thread you started 2 years ago? Long > Time no discussion on this topic... :) > > Turns out you were spot-on. We verified six different variants of > this. Jeremiah Grossman published details on his blog: > > > http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html > > It is important to note that when you read the number counts that say: > > 11 exploitable XSS in 8 websites: > %u00ABscript%u00BB > > The count of "11" is "11 /path/ locations or forms in a web > application", not "11 vulnerable inputs". The location might be a .cgi > or a servlet, with 1 or dozens of inputs in that same location that > are all "vulnerable" to the same attack technique. > > (We call the individual inputs "attack vectors" instead of > "vulnerabilities" to help people group them and make them more > actionable. e.g.-people usually don't go fix one input, but instead > fix the CGI, servlet, form-input/request-handler and all the > associated inputs at once. So reporting each input individually > doesn't provide any benefit besides make reports bigger.) > > Anyway, there are many more of these kind of > false-familiar/transliteral transcoding and canonicalization issues. > > I will continue to feed anything interesting to Jeremiah and it will > probably wind up on his blog. > > Thanks again for opening my mind up to some new angles for > filter-evasion tricks! :) > > ciao > > -- > Arian Evans > I invest most of my money in motorcycles, mistresses, and martinis. > The rest of it I squander. > > > > > On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <[email protected]> > wrote: > > > > I'll let you know if this hits. I am running this test currently on about > 600 + sites. > > > > -ae > > > > On 5/22/07, 3APA3A < [email protected]> wrote: > >> > >> Dear [email protected], > >> > >> By the way: I saw Unicode Left Pointing Double Angel Quotation Mark > >> (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark (%u00BB) > >> are sometimes translated to '<' and '>'. Does somebody experimented > >> with > >> > >> %u00ABscript%u00BB > >> > >> in different environments to bypass filtering in this way? > >> > >> -- > >> http://securityvulns.com/ > >> /\_/\ > >> { , . } |\ > >> +--oQQo->{ ^ }<-----+ \ > >> | ZARAZA U 3APA3A } You know my name - look up my number (The > Beatles) > >> +-------------o66o--+ / > >> |/ > > > ---------------------------------------------------------------------------- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > -- Thought for the day - "Emails can hurt feelings. If this one did, please ignore your feelings."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
