|Main Archive Page > Month Archives > full-disclosure-uk archives|
Brian Eaton wrote:
> Has anyone had a look at the full-width unicode encoding trick
> discussed here?
BTW - why is this news? it has been known for long:
Another way that Unicode can cause problems is that the application or operation system can assign the same interpretation to different code points. Thus, even though the Unicode specification dictates that the code points should be treated differently, the application actually treats them the same.
I tested IIS on Windows 2000 Advanced Server (English) and found that it was very good at exhibiting this behavior. For example, here is a list of the various code points that resolved to the capital letter "A": U+0041, U+0100, U+0102, U+0104, U+01CD, U+01DE, U+8721.
And the full-width Unicode range and its applicability to bypassing a
specific security mechanism (ASP.NET's XSS protection and Request
Validation mechanisms) was explicitly discussed in a post to BugTraq
titled "XSS vulnerabilty in ASP.Net [with details]
<http://www.securityfocus.com/archive/1/390751/30/0/threaded>" by Andrey
Rusyaev which dates back to 2005
In specific conditions the cross-site scripting attack (XSS)  are possible on web site under management ASP.Net, because used a wrong filtration of special HTML characters. Attack exploits vulnerability of mechanism of converting Unicode strings  to national ASCII codepages. The basic problem arises from the lack of a filtration of special HTML characters in range U+ff00-U+ff60 (fullwidth ASCII characters ).