mailing list archives
Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Sat, 6 Jun 2009 18:39:55 -0700
On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<chris () casabasec com> wrote:
Your discussion point #2 seems to digress, talking about the confusables and
lookalikes don't seem to lend to the original subject. Unless, you're
suggesting that they somehow add to the canonicalization of strings that
White Hat is seeing?
Yes, that is exactly what I am saying.
It is much easier to inject a CAST or a SELECT past a blacklist if
there are multiple characters canonicalized to As and Es in the
And the same goes for things like double-quotes. Many (most?) language
character sets have confusables and false-familiars with U000/001
Unicode, and Latin/ASCII, and sometimes they are canonicalized as
I have nothing that tells me, when I see a character conversion, if it
is a "best fit" mapping or an attempt to canonicalize confusables or
avoid name collision. So I put them all in the same bucket in terms of
A developer using unicode would probably not put them in the same bucket.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/