Re: [WEB SECURITY] UTF7 a requirement?

["HASEGAWA Yosuke" <yosuke.hasegawa@xxxxxxxxx>]

Hi, Robert.

On Tue, Mar 25, 2008 at 6:50 AM,  <robert@xxxxxxxxxxxxx> wrote:
>  It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any
>  encoding ninja's care to comment?

It is right in the case of most, but it is extremely sometimes a mistake.
When specifying "charset=UTF-8" by <meta> in a HTML, not by a HTTP
response header, and Attacker can control <title> string before <meta>,
XSS may occur.

For example, If Attacker put UTF-7 string as a title before <meta>
like as below,
IE detects this HTML as UTF-7, not UTF-8.
--
<title>
+ADw-/title+AD4APA-meta http-equiv+AD0-'content-type'
content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
--

PoC is here.
 - http://openmya.hacker.jp/hasegawa/PoC/utf-7/inject-meta.html

See these pages for more details.
 - http://openmya.hacker.jp/hasegawa/security/utf7cs.html
 - http://openmya.hacker.jp/hasegawa/public/20071107/s6/h6.html?file=datae.txt

Regards,
-- 
HASEGAWA Yosuke
 yosuke.hasegawa@xxxxxxxxx

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]