| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 6 Jun 2009 18:39:55 -0700 From: "Arian J. Evans" <arian.evans@...chronic.com> To: Chris Weber <chris@...abasec.com> Cc: Stephen de Vries <stephen@...steddelight.org>, Full-Disclosure <full-disclosure@...ts.grok.org.uk>, websecurity@...appsec.org Subject: Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass? On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<chris@...abasec.com> wrote: > Your discussion point #2 seems to digress, talking about the confusables and > lookalikes don't seem to lend to the original subject. Unless, you're > suggesting that they somehow add to the canonicalization of strings that > White Hat is seeing? Yes, that is exactly what I am saying. It is much easier to inject a CAST or a SELECT past a blacklist if there are multiple characters canonicalized to As and Es in the application. And the same goes for things like double-quotes. Many (most?) language character sets have confusables and false-familiars with U000/001 Unicode, and Latin/ASCII, and sometimes they are canonicalized as such. I have nothing that tells me, when I see a character conversion, if it is a "best fit" mapping or an attempt to canonicalize confusables or avoid name collision. So I put them all in the same bucket in terms of security measurement/classification. A developer using unicode would probably not put them in the same bucket. -ae _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists