[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Date: Mon, 21 May 2007 15:48:09 -0400

On 5/21/07, 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:

It's not true, because it's quite convertible character. At least for IIS:

http://example.com/test.asp?q=%uFF1Cscript>alert("Hello")</script>

where test.asp is

<%=Request.QueryString("q")%>

launches javascript.


This does not work for me for IIS 6 and IE 7.  What platform did you test?

Regards,
Brian

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- [WEB SECURITY] Re[2]: [Full-disclosure] noise about full-width encoding bypass?
  - From: 3APA3A

References:
- [WEB SECURITY] noise about full-width encoding bypass?
  - From: Brian Eaton
- [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
  - From: 3APA3A

Prev by Date: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Next by Date: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Previous by thread: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding bypass?
Next by thread: [WEB SECURITY] Re[2]: [Full-disclosure] noise about full-width encoding bypass?
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site