mailing list archives
Advisory: Attack of the Mongolian space evaders... (and other Medieval XSS vectors)
From: "Chris Weber" <chrisweber () live com>
Date: Sat, 13 Sep 2008 14:52:40 -0700
Link to notes and test case:
Don't mean to make light of the situation but I do wish I had some Danel
Clowe skills to cartoon this. How often do we get to use Ogham Space Marks
and Mongolian Vowel Separators to bypass filters and deliver cross-site
What am I talking about? Okay enough fun, read on.
Opera released version 9.52 of their flagship browser about a month ago to
address an issue in the way certain Unicode characters were being
interpreted as white space. This behavior enabled cross-site scripting
(XSS) attacks which might not otherwise be possible. Perhaps exploiting
this issue would also be useful to evade HTML filters, AV's, WAFs, or other
detection systems which try to prevent XSS attacks.
The HTML 4.01 specification defines four whitespace characters, and
explicitly does not define other cases. Note to XSS filter developers: Any
character can be treated as whitespace by an HTML4 conforming User-Agent.
Have I tested this already? Yes, in most HTML agents I know about.
The HTML 5 specification defines five types of "whitespace characters", and
explicitly nothing else. However, the HTML 5 spec is in flux which is a
much bigger issue. more on this later.
The Unicode spec assigns binary property meta-data to code points, one of
which is the 'white_space' property. In Opera's case, we could use almost
any character with a Unicode white_space property to represent a normal
whitespace character like U+0020.
The following code points all get treated as a space. Making things like:
possible. This list includes many of the Unicode code points with the
U+2002 to U+200A
U+180E Mongolian Vowel Separator
U+1680 Ogham Space Mark
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Advisory: Attack of the Mongolian space evaders... (and other Medieval XSS vectors) Chris Weber (Sep 13)