Re: [WEB SECURITY] Advisory: Attack of the Mongolian space evaders... (and other Medieval XSS vectors)

[Bil Corry <bil@xxxxxxxxx>]

Chris Weber wrote on 9/13/2008 4:52 PM: 
> The following code points all get treated as a space.  Making things like:
>
> <a href=#[U+180E]onclick=alert()>
>
> possible. This list includes many of the Unicode code points with the 
> white_space property:
>
> U+2002 to U+200A
> U+205F
> U+3000
> U+180E Mongolian Vowel Separator
> U+1680 Ogham Space Mark

It's similar to what gnucitizen pointed out for Firefox last year:

	http://www.gnucitizen.org/blog/snippets-of-defense-ptiv/

When I ran his JavaScript script at the time with FF2, it found these as the whitespace chars that FF2 allows:

	&#8204
	&#8205
	&#8206
	&#8207
	&#8234
	&#8235
	&#8236
	&#8237
	&#8238
	&#8298
	&#8299
	&#8300
	&#8301
	&#8302
	&#8303
	&#65279

Re-running it again with FF3, I get this:

	&#65279
	&#65534

which is the UTF-8 BOM in little- and big-endian.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA