[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [WEB SECURITY] XSS, SQL injection vulns on non-English sites

From: "Hurst, Dennis" <dennis.hurst@xxxxxx>
Subject: RE: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Date: Wed, 23 Apr 2008 20:11:30 +0000

--_000_4A2E650135532340BD4AFFA18D4DF0801EE9BC4391G3W1110americ_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Jim

Just my $.02, I'm sure others will give more details.

Typically the same way you would any english based site.  The Javascript is=
 just javascript and in the case of SQL Injection everyone uses SQL-92 comm=
ands which are english-ish so the attack works pretty much the same.  If yo=
u need to send part of the JavaScrpt in a Unicode character that's no probl=
em either.  The challenge I have had, especially on non-latin based languag=
es, is understanding if my attack is working or not.  Some times the error =
message you get back are a challenge to read but that's my not knowing the =
other language not an issue with the hack.

Programming languages are english-ish (not technical term but you get the p=
icture) for better or worse so there isn't a Japanese JavaScript there is j=
ust JavaScript.



Dennis.Hurst@HP.com<mailto:Dennis.Hurst@HP.com>
________________________________
From: Jim Weiler [mailto:crispusatticks@yahoo.com]
Sent: Wednesday, 23 April, 2008 7:43 PM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] XSS, SQL injection vulns on non-English sites


Q1. How would a cross site scripting vulnerability be exploited on a non en=
glish web site? Would a link containing a cross site scripting exploit for =
that site have to contain ASCII javascript or javascript characters encoded=
 in some characterset that included the ASCII characters?

Q2. how would you do SQL injection to a non english web site, say japanese =
or arabic? doesn't the database engine expect ASCII SQL characters? If the =
web server says it understands UTF-8 I guess you could use a proxy to injec=
t UTF-8 encoded ASCII SQL as form or URL parameter values.


---------------------------------------------------------------------------=
- Join us on IRC: irc.freenode.net #webappsec Have a question? Search The W=
eb Security Mailing List Archives: http://www.webappsec.org/lists/websecuri=
ty/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Fe=
ed]

--_000_4A2E650135532340BD4AFFA18D4DF0801EE9BC4391G3W1110americ_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.6000.16608" name=3DGENERATOR></HEAD>
<BODY>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008>Jim</SPAN></DI=
V>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008></SPAN>&nbsp;<=
/DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2>Just my $.02, I'm sure others will give more=20
details.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2>Typically the same way you would any english based=
=20
site.&nbsp; The Javascript is just javascript and in the case of SQL Inject=
ion=20
everyone uses SQL-92 commands which are english-ish so the attack works pre=
tty=20
much the same.&nbsp; If you need to send part of the JavaScrpt in a Unicode=
=20
character that's no problem either.&nbsp; The challenge I have had, especia=
lly=20
on non-latin based languages, is understanding if my attack is working or=20
not.&nbsp; Some times the error message you get back are a challenge to rea=
d but=20
that's my not knowing the other language not an issue with the=20
hack.</FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2>Programming languages are english-ish (not technic=
al term=20
but you get the picture)&nbsp;for better or worse so there isn't a Japanese=
=20
JavaScript there is just JavaScript.&nbsp; </FONT></SPAN></DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV dir=3Dltr align=3Dleft><SPAN class=3D253120520-23042008><FONT face=3DA=
rial=20
color=3D#0000ff size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D253120520-23042008></SPAN><FONT face=3DArial><FONT=20
color=3D#0000ff><FONT size=3D2><A href=3D"mailto:Dennis.Hurst@HP.com";>D<SPA=
N=20
class=3D253120520-23042008>ennis.Hurst@HP.com</A></SPAN></FONT></FONT></FON=
T><BR></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Jim Weiler=20
[mailto:crispusatticks@yahoo.com] <BR><B>Sent:</B> Wednesday, 23 April, 200=
8=20
7:43 PM<BR><B>To:</B> websecurity@webappsec.org<BR><B>Subject:</B> [WEB=20
SECURITY] XSS, SQL injection vulns on non-English sites<BR></FONT><BR></DIV=
>
<DIV></DIV>
<TABLE cellSpacing=3D0 cellPadding=3D0 border=3D0>
  <TBODY>
  <TR>
    <TD>
      <P>Q1. How would a cross site scripting vulnerability be exploited on=
 a=20
      non english web site? Would a link containing a cross site scripting=
=20
      exploit for that site have to contain ASCII javascript or javascript=
=20
      characters encoded in some characterset that included the ASCII=20
      characters?</P>
      <P>Q2. how would you do SQL injection to a non english web site, say=
=20
      japanese or arabic? doesn't the database engine expect ASCII SQL=20
      characters? If the web server says it understands UTF-8 I guess you c=
ould=20
      use a proxy to inject UTF-8 encoded ASCII SQL as form or URL paramete=
r=20
      values.</P></TD></TR></TBODY></TABLE>--------------------------------=
--------------------------------------------=20
Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web=
=20
Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/=
=20
Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]=
=20
</BODY></HTML>

--_000_4A2E650135532340BD4AFFA18D4DF0801EE9BC4391G3W1110americ_--

References:
- [WEB SECURITY] XSS, SQL injection vulns on non-English sites
  - From: Jim Weiler

Prev by Date: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Next by Date: Re: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Previous by thread: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Next by thread: Re: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site