Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Advisory: Attack of the Mongolian space evaders... (and other Medieval XSS vectors)
From: "Chris Weber" <chrisweber () live com>
Date: Sat, 13 Sep 2008 14:52:40 -0700

Link to notes and test case: 

Don't mean to make light of the situation but I do wish I had some Danel 
Clowe skills to cartoon this.  How often do we get to use Ogham Space Marks 
and Mongolian Vowel Separators to bypass filters and deliver cross-site 
scripting attacks?

What am I talking about?  Okay enough fun, read on.

Opera released version 9.52 of their flagship browser about a month ago to 
address an issue in the way certain Unicode characters were being 
interpreted as white space.  This behavior enabled cross-site scripting 
(XSS) attacks which might not otherwise be possible.  Perhaps exploiting 
this issue would also be useful to evade HTML filters, AV's, WAFs, or other 
detection systems which try to prevent XSS attacks.

The HTML 4.01 specification defines four whitespace characters, and 
explicitly does not define other cases.  Note to XSS filter developers:  Any 
character can be treated as whitespace by an HTML4 conforming User-Agent. 
Have I tested this already?  Yes, in most HTML agents I know about.

The HTML 5 specification defines five types of "whitespace characters", and 
explicitly nothing else.   However, the HTML 5 spec is in flux which is a 
much bigger issue. more on this later.

The Unicode spec assigns binary property meta-data to code points, one of 
which is the 'white_space' property.  In Opera's case, we could use almost 
any character with a Unicode white_space property to represent a normal 
whitespace character like U+0020.

The following code points all get treated as a space.  Making things like:

<a href=#[U+180E]onclick=alert()>

possible. This list includes many of the Unicode code points with the 
white_space property:

U+2002 to U+200A
U+180E Mongolian Vowel Separator
U+1680 Ogham Space Mark

Chris Weber

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]