[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] XSS, SQL injection vulns on non-English sites

From: "Arian J. Evans" <arian.evans@xxxxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Date: Wed, 23 Apr 2008 13:33:40 -0700

On Wed, Apr 23, 2008 at 11:43 AM, Jim Weiler <crispusatticks@xxxxxxxxx> wrote:
>
> Q1. How would a cross site scripting vulnerability be exploited on a non
> english web site? Would a link containing a cross site scripting exploit for
> that site have to contain ASCII javascript or javascript characters encoded
> in some characterset that included the ASCII characters?

Same. Your target parser is the browser, so you have two things to consider:

A1.1 Protocol message format (HTTP header specifies UTF-8, 16, etc.?)
A1.2 All the encoding types the browser natively supports.

Sometimes characters will get transcoded on non-english sites to friendly
matches that are dangerous. ?'?? can give you a single-quote needed
for escaping a string in javascript space, that might otherwise be filtered.

> Q2. how would you do SQL injection to a non english web site, say japanese
> or arabic? doesn't the database engine expect ASCII SQL characters? If the
> web server says it understands UTF-8 I guess you could use a proxy to inject
> UTF-8 encoded ASCII SQL as form or URL parameter values.

This is not always the same. Your target parser is the database. Different DBs
support different charactersets, and I have little experience with
internationalized
versions of DBs with regional language settings enabled.

I have seen explicit transcoding issues performed by developers and
overly friend parsers, and that is always worth looking for.

Map out all the characters sets, look for any transcoding/friendly matches
between characters, and if you see any, start testing ones that look like
they could turn into nasty business.

e.g. -- look at Unicode page 590, chars 05F0 through 05F4; yiddish diagraphs
and punctuation. I've seen those borked into " and ' before in the DB for
data "normalization"

cheers
-- 
-- 
Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.

ps - Remember to block Finger.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

References:
- [WEB SECURITY] XSS, SQL injection vulns on non-English sites
  - From: Jim Weiler

Prev by Date: RE: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Next by Date: Re: [WEB SECURITY] thoughts on WAF deployment options?
Previous by thread: RE: [WEB SECURITY] XSS, SQL injection vulns on non-English sites
Next by thread: [WEB SECURITY] A New Class of Vulnerability in Oracle: Lateral SQL Injection
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site