RE: [WEB SECURITY] UTF7 a requirement?

[Alex Stamos <alex@xxxxxxxxxxxxxxxx>]

I think Bob's question was answered pretty thoroughly, but for those of you on the list who are looking for an introduction to this issue I think I'll give a shout-out for my colleague Scott Stender's presentation at Black Hat USA 2006.

Slides:
http://www.isecpartners.com/files/iSEC-Attacking_Internationalized_Software.BH2006.pdf

Video: (thanks Jeff for putting us on iTunes)
http://www.truveo.com/Scott-Stender-Attacking-Internationialized/id/703250396

  -Alex

-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx]
Sent: Monday, March 24, 2008 2:51 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] UTF7 a requirement?

Hello List,

We've seen UTF7 based xss (example google http://www.securiteam.com/securitynews/6Z00L0AEUE.html) exploited in the wild
and I'm wondering is there ever a situation where UTF7 is required for a website to work? Are there certain charsets/languages
that will not render/function properly unless UTF7 is used (I'm thinking no)?

It seems to me you could just set UTF8 as a requirement (specified in headers/meta) and avoid these utf7 xss issues. Any
encoding ninja's care to comment?

Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]