full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] [WEB SECURITY] noise a

Re: [Full-disclosure] [WEB SECURITY] noise about full-width encoding bypass?

From: Arian J. Evans <arian.evans_at_nospam>
Date: Tue May 22 2007 - 17:05:45 GMT
To: "Amit Klein" <aksecurity@gmail.com>, "Web Security" <websecurity@webappsec.org>, Full-Disclosure <full-disclosure@lists.grok.org.uk>

On 5/22/07, Amit Klein <aksecurity@gmail.com> wrote:
> Brian Eaton wrote:
> > Has anyone had a look at the full-width unicode encoding trick
> > discussed here?
> >
> > http://www.kb.cert.org/vuls/id/739224
> >
> BTW - why is this news? it has been known for long:

I think the problem here is network security folks don't understand this stuff at all.

IDS evasion is the stuff of "landmark" papers, from the paper Thomas Ptacek and co did on packet fragmentation and re-assembly work, to K2's polymorphic shell-code:


So there are 31 flavors of encoding types validly used by web apps using HTTP that may or may not get interpreted, converted, or canonicalized to ASCII or some form that a parser will execute.

We know that, and discuss it ad naseum on the WASC list, but I'm not sure that the average Joe running an IDS understands just how limited that IDS or firewall (with "application smart defense", etc.) may be with its "tcp stream reassembly and HTTP decoding" capabilities.

Hence the wonky cert advisory, basically: "OMG! all valid encoding types not decoded by IDS!!! Who knew ?!?"

So, in short Amit: It is new news to some folks, I think, probably a lot of folks (the majority of the IT and even infosec professional population not subscribing to these lists).

There is no God Master Guide to Encoding Ninjitsu for Web Attacksters handy for folks to quick reference this rather complex subject, either... -- Arian Evans scrutinizing shameless software insecurity "Diplomacy is the art of saying "Nice doggie" until you can find a rock." -- Will Rogers

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/