[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] UTF7 a requirement?

From: robert@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] UTF7 a requirement?
Date: Wed, 26 Mar 2008 11:45:44 -0500 (EST)

Sure was thanks everyone!

- Robert
http://www.cgisecurity.com/ Web Security news and more
http://www.webappsec.org/
http://www.qasec.com/ 
> 
> I think Bob's question was answered pretty thoroughly, but for those of you=
>  on the list who are looking for an introduction to this issue I think I'll=
>  give a shout-out for my colleague Scott Stender's presentation at Black Ha=
> t USA 2006.
> 
> Slides:
> http://www.isecpartners.com/files/iSEC-Attacking_Internationalized_Software=
> .BH2006.pdf
> 
> Video: (thanks Jeff for putting us on iTunes)
> http://www.truveo.com/Scott-Stender-Attacking-Internationialized/id/7032503=
> 96
> 
>   -Alex
> 
> -----Original Message-----
> From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx]
> Sent: Monday, March 24, 2008 2:51 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] UTF7 a requirement?
> 
> Hello List,
> 
> We've seen UTF7 based xss (example google http://www.securiteam.com/securit=
> ynews/6Z00L0AEUE.html) exploited in the wild
> and I'm wondering is there ever a situation where UTF7 is required for a we=
> bsite to work? Are there certain charsets/languages
> that will not render/function properly unless UTF7 is used (I'm thinking no=
> )?
> 
> It seems to me you could just set UTF8 as a requirement (specified in heade=
> rs/meta) and avoid these utf7 xss issues. Any
> encoding ninja's care to comment?
> 
> Regards,
> - Robert
> http://www.cgisecurity.com/
> http://www.webappsec.org/
> 
> 
> ---------------------------------------------------------------------------=
> -
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- RE: [WEB SECURITY] UTF7 a requirement?
  - From: Alex Stamos

Prev by Date: Re: [WEB SECURITY] Query:Vulnerability assessment of Flash web application
Next by Date: Re: [WEB SECURITY] Query: Are Firewalls obsolete in an Enterprise Web Service Environment?
Previous by thread: RE: [WEB SECURITY] UTF7 a requirement?
Next by thread: [WEB SECURITY] Query:Vulnerability assessment of Flash web application
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site