Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Sat, 6 Jun 2009 18:39:55 -0700

On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<chris () casabasec com> wrote:


Your discussion point #2 seems to digress, talking about the confusables and
lookalikes don't seem to lend to the original subject.  Unless, you're
suggesting that they somehow add to the canonicalization of strings that
White Hat is seeing?

Yes, that is exactly what I am saying.

It is much easier to inject a CAST or a SELECT past a blacklist if
there are multiple characters canonicalized to As and Es in the
application.

And the same goes for things like double-quotes. Many (most?) language
character sets have confusables and false-familiars with U000/001
Unicode, and Latin/ASCII, and sometimes they are canonicalized as
such.

I have nothing that tells me, when I see a character conversion, if it
is a "best fit" mapping or an attempt to canonicalize confusables or
avoid name collision. So I put them all in the same bucket in terms of
security measurement/classification.

A developer using unicode would probably not put them in the same bucket.

-ae

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault