On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<[email protected]> wrote:
> Your discussion point #2 seems to digress, talking about the confusables and > lookalikes don't seem to lend to the original subject. Unless, you're > suggesting that they somehow add to the canonicalization of strings that > White Hat is seeing? Yes, that is exactly what I am saying. It is much easier to inject a CAST or a SELECT past a blacklist if there are multiple characters canonicalized to As and Es in the application. And the same goes for things like double-quotes. Many (most?) language character sets have confusables and false-familiars with U000/001 Unicode, and Latin/ASCII, and sometimes they are canonicalized as such. I have nothing that tells me, when I see a character conversion, if it is a "best fit" mapping or an attempt to canonicalize confusables or avoid name collision. So I put them all in the same bucket in terms of security measurement/classification. A developer using unicode would probably not put them in the same bucket. -ae _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
