[WEB SECURITY] XSS, SQL injection vulns on non-English sites

Arian J. Evans arian.evans at anachronic.com
Wed Apr 23 16:33:40 EDT 2008

On Wed, Apr 23, 2008 at 11:43 AM, Jim Weiler <crispusatticks at yahoo.com> wrote:
> Q1. How would a cross site scripting vulnerability be exploited on a non
> english web site? Would a link containing a cross site scripting exploit for
> that site have to contain ASCII javascript or javascript characters encoded
> in some characterset that included the ASCII characters?

Same. Your target parser is the browser, so you have two things to consider:

A1.1 Protocol message format (HTTP header specifies UTF-8, 16, etc.?)
A1.2 All the encoding types the browser natively supports.

Sometimes characters will get transcoded on non-english sites to friendly
matches that are dangerous. ?'?? can give you a single-quote needed
for escaping a string in javascript space, that might otherwise be filtered.

> Q2. how would you do SQL injection to a non english web site, say japanese
> or arabic? doesn't the database engine expect ASCII SQL characters? If the
> web server says it understands UTF-8 I guess you could use a proxy to inject
> UTF-8 encoded ASCII SQL as form or URL parameter values.

This is not always the same. Your target parser is the database. Different DBs
support different charactersets, and I have little experience with
versions of DBs with regional language settings enabled.

I have seen explicit transcoding issues performed by developers and
overly friend parsers, and that is always worth looking for.

Map out all the characters sets, look for any transcoding/friendly matches
between characters, and if you see any, start testing ones that look like
they could turn into nasty business.

e.g. -- look at Unicode page 590, chars 05F0 through 05F4; yiddish diagraphs
and punctuation. I've seen those borked into " and ' before in the DB for
data "normalization"

Arian J. Evans.

I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.

ps - Remember to block Finger.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list