Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding

from [Chris Weber] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?
Date: Mon, 21 May 2007 12:24:51 -0700 
Hold up a second folks, you're telling this list now that ASP.NET will
decompose various character sets like those containing your full-width single
quote, into it's ASCII equivalent.  Brian I think you should've stuck to your
original story because I'm almost certain this is completely untrue.  

If it were true then we'd have some dire state of emergency on our hands no? 
Compatibility decomposition and canonical composition are a function of the
Unicode normalization forms in use (http://unicode.org/reports/tr15/).  

*In particular, forms KD and KC would do what you're saying, but those aren't
commonly in use afaik.  Developers should be very cautious when normalizing to
these forms.

If you've managed to find some specific ASP.NET classes which normalize to
problematic forms KD/KC then you should let us know, but just saying all of
ASP.NET does this would be a huge stretch.  The framework supports all four
normalization methods
(http://msdn2.microsoft.com/en-us/winfx/system.string.aspx) and it's up to
developers to implement the ones they need.






---------- Original Message -----------
From: ascii <ascii@katamail.com>
To: Brian Eaton <eaton.lists@gmail.com>
Cc: Web Security <websecurity@webappsec.org>, Full-Disclosure
<full-disclosure@lists.grok.org.uk>
Sent: Mon, 21 May 2007 23:01:26 +0200
Subject: [WEB SECURITY] Re: [Full-disclosure] noise about full-width encoding
bypass?


Brian Eaton wrote:

To summarize what I've heard from various sources: I am missing
something important. =)  Both PHP and ASP.NET will decode these
characters into their ASCII equivalents.


(AFAIK)

Only ASP.NET/IIS decodes that automatically.

PHP *can* do that as like JSP and probably others but that has
to happen explicitly in the application code or on an other layer.

Regards,
Francesco `ascii` Ongaro
http://www.ush.it/

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

------- End of Original Message -------


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?, Arian J. Evans
Next by Date:  [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???, kingcope
Previous by Thread:  Re: [Full-disclosure] noise about full-width encoding bypass?, 3APA3A
Next by Thread:  Re: [Full-disclosure] [WEB SECURITY] Re: noise about full-width encoding bypass?, ascii
Indexes:  [Date] [Thread] [Top] [All Lists]