| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 05 Jun 2009 09:34:34 -0700 From: "Chris Weber" <chris@...abasec.com> To: "'Thierry Zoller'" <Thierry@...ler.lu>, "'Arian J. Evans'" <arian.evans@...chronic.com> Cc: 'Prasad Shenoy' <prasad.shenoy@...il.com>, 'Full-Disclosure' <full-disclosure@...ts.grok.org.uk>, '3APA3A' <3APA3A@...urity.nnov.ru>, websecurity@...appsec.org Subject: Re: [WEB SECURITY] Re[2]: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Sorta, kinda, not really. From the outside looking in, the inputs can help us understand what's happening under the covers: 1. Some Java, .Net, ICU API is performing string Normalization 2. Some API or data handoff (e.g. from IIS front-end to Oracle db) is performing an (otherwise unintended) best-fit mapping 3. Some developer chose to do transform strings in a custom way White Hat's in a good position to go to these customers, ask them if they can peek at the code, and gather information about which frameworks API's they were using, and how they were calling them. That's what I'd do with this information. Although, we already know how most of the major frameworks behave. Chris -----Original Message----- From: Thierry Zoller [mailto:Thierry@...ler.lu] Sent: Friday, June 05, 2009 1:43 AM To: Arian J. Evans Cc: Prasad Shenoy; Full-Disclosure; 3APA3A; websecurity@...appsec.org Subject: [WEB SECURITY] Re[2]: [Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? Hi, AJE> We have seen 44 sites in the last year at WhiteHat Security that were AJE> vulnerable to Fullwidth unicode-encoded attacks. This one tends to be AJE> more ubiquitous than others when you find it. In the applications weak AJE> to this -- we found roughly 200 locations vulnerable to attack in AJE> those 44 applications, and each location would have multiple inputs, AJE> so you are probably talking 1,000+ inputs vulnerable to attack using AJE> this encoding. The discussion of how many inputs are vulnerable is kind of ludicrous isn't it? As it nearly always boils down to the same set of impacts even if you have a trillion of inputs vulnerable, per domain. ---------------------------------------------------------------------------- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists