[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: noise about full-width encoding bypass?

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: [WEB SECURITY] Re: noise about full-width encoding bypass?
Date: Mon, 21 May 2007 14:36:59 -0400

On 5/21/07, Brian Eaton <eaton.lists@xxxxxxxxx> wrote:

Has anyone had a look at the full-width unicode encoding trick discussed here?

http://www.kb.cert.org/vuls/id/739224

AFAICT, this technique could be useful for a homograph attack.  I
don't think it's useful for much else.  However, a few vendors have
reacted already, so I may be missing something important.


To summarize what I've heard from various sources: I am missing
something important. =)  Both PHP and ASP.NET will decode these
characters into their ASCII equivalents.  I don't think J2EE apps are
vulnerable, but this is definitely useful for more more than just
homograph attacks.

Thanks to the various people who have tested this out!

Regards,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
  - From: ascii
- Re: [WEB SECURITY] Re: noise about full-width encoding bypass?
  - From: Arian J. Evans

References:
- [WEB SECURITY] noise about full-width encoding bypass?
  - From: Brian Eaton

Prev by Date: [WEB SECURITY] Reflection on Ryan Barnett
Next by Date: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Previous by thread: Re: [WEB SECURITY] noise about full-width encoding bypass?
Next by thread: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site