[WEB SECURITY] XSS, SQL injection vulns on non-English sites
Arian J. Evans
arian.evans at anachronic.com
Wed Apr 23 16:33:40 EDT 2008
On Wed, Apr 23, 2008 at 11:43 AM, Jim Weiler <crispusatticks at yahoo.com> wrote:
> Q1. How would a cross site scripting vulnerability be exploited on a non
> english web site? Would a link containing a cross site scripting exploit for
> in some characterset that included the ASCII characters?
Same. Your target parser is the browser, so you have two things to consider:
A1.1 Protocol message format (HTTP header specifies UTF-8, 16, etc.?)
A1.2 All the encoding types the browser natively supports.
Sometimes characters will get transcoded on non-english sites to friendly
matches that are dangerous. ?'?? can give you a single-quote needed
> Q2. how would you do SQL injection to a non english web site, say japanese
> or arabic? doesn't the database engine expect ASCII SQL characters? If the
> web server says it understands UTF-8 I guess you could use a proxy to inject
> UTF-8 encoded ASCII SQL as form or URL parameter values.
This is not always the same. Your target parser is the database. Different DBs
support different charactersets, and I have little experience with
versions of DBs with regional language settings enabled.
I have seen explicit transcoding issues performed by developers and
overly friend parsers, and that is always worth looking for.
Map out all the characters sets, look for any transcoding/friendly matches
between characters, and if you see any, start testing ones that look like
they could turn into nasty business.
e.g. -- look at Unicode page 590, chars 05F0 through 05F4; yiddish diagraphs
and punctuation. I've seen those borked into " and ' before in the DB for
Arian J. Evans.
I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.
ps - Remember to block Finger.
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity