lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 Jun 2009 15:10:16 -0700
From: "Arian J. Evans" <arian.evans@...chronic.com>
To: 3APA3A <3APA3A@...urity.nnov.ru>, 
	Full-Disclosure <full-disclosure@...ts.grok.org.uk>, 
	"websecurity@...appsec.org" <websecurity@...appsec.org>
Subject: Re: [WEB SECURITY] Unicode Left/Right Pointing
	Double Angel Quotation Mark bypass?

Hello 3APA3A -- Remember this thread you started 2 years ago? Long
Time no discussion on this topic... :)

Turns out you were spot-on. We verified six different variants of
this. Jeremiah Grossman published details on his blog:

http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html

It is important to note that when you read the number counts that say:

11 exploitable XSS in 8 websites:
%u00ABscript%u00BB

The count of "11" is "11 /path/ locations or forms in a web
application", not "11 vulnerable inputs". The location might be a .cgi
or a servlet, with 1 or dozens of inputs in that same location that
are all "vulnerable" to the same attack technique.

(We call the individual inputs "attack vectors" instead of
"vulnerabilities" to help people group them and make them more
actionable. e.g.-people usually don't go fix one input, but instead
fix the CGI, servlet, form-input/request-handler and all the
associated inputs at once. So reporting each input individually
doesn't provide any benefit besides make reports bigger.)

Anyway, there are many more of these kind of
false-familiar/transliteral transcoding and canonicalization issues.

I will continue to feed anything interesting to Jeremiah and it will
probably wind up on his blog.

Thanks again for opening my mind up to some new angles for
filter-evasion tricks! :)

ciao

--
Arian Evans
I invest most of my money in motorcycles, mistresses, and martinis.
The rest of it I squander.




On Tue, May 22, 2007 at 9:52 AM, Arian J. Evans <arian@...chronic.com> wrote:
>
> I'll let you know if this hits. I am running this test currently on about 600 + sites.
>
> -ae
>
> On 5/22/07, 3APA3A < 3APA3A@...urity.nnov.ru> wrote:
>>
>> Dear full-disclosure@...ts.grok.org.uk,
>>
>>   By  the  way:  I saw Unicode Left Pointing Double Angel Quotation Mark
>>   (%u00AB) / Unicode Right Pointing Double Angel Quotation Mark (%u00BB)
>>   are  sometimes  translated  to '<' and '>'. Does somebody experimented
>>   with
>>
>>   %u00ABscript%u00BB
>>
>>   in different environments to bypass filtering in this way?
>>
>> --
>> http://securityvulns.com/
>>          /\_/\
>>         { , . }     |\
>> +--oQQo->{ ^ }<-----+ \
>> |  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
>> +-------------o66o--+ /
>>                     |/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ