search

kvasilov48 / web-obfuscation

Automatically exported from code.google.com/p/web-obfuscation
0 stars 0 forks source link

ERRATA: Possible Incorrect Multi-Byte Injection #7

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
In which chapter/section/page number?
Chapter 2 HTML, Page 33, 2nd paragraph

What is the existing content?
The complete injection would look like this:

<a title="My Homepage" href="http://foobar&#x143; onclick=alert()>My 
Homepage</a>

What is the correct content (optional)?
The complete injection would look like this:

<a title="My Homepage" href="http://foobar onclick=alert()//&#x8f;>My 
Homepage</a>

Comments
A couple issues if I'm seeing this right:

The first is the Shift_JIS double byte lead character is placed at the end of 
foobar versus the end of the alert. For it to gobble up the second double 
quote, it would need to be placed in front of the second double quote, correct? 
(This would create a \x8F22 string, which isn't being parsed correctly.)

The second is that the HTML entity encoding is using hex but the value is the 
decimal character. It should be either &#x8f; or &#143; correct?

The third is the missing JavaScript comment slashes "//" which may not make the 
alert fire correctly. These are included in the sample correctly above. Aren't 
they needed here?

Feedback:
I recommend discussing multi-byte character encoding in more detail. Maybe even 
chat about Arshan's issue found w/ SiteMinder? I don't think it's obvious as to 
why this attack should work in the first place unless one has a priori 
knowledge about multi-byte characters.

I recommend for the next printing to ask to use a different font that shows 
bolding a bit better than the one in use. The characters next to the normal 
text are hard to discern sometimes. Or if that's not possible, maybe just show 
the attack string outside of the whole vector? Reading this in a bar was a pain 
last night :-)

Original issue reported on code.google.com by jon.pas...@aspectsecurity.com on 2 Feb 2011 at 1:35

GoogleCodeExporter commented 9 years ago 
Assigning it to Mario.

Thanks! :)

Original comment by sirdarckcat on 2 Feb 2011 at 6:20

GoogleCodeExporter commented 9 years ago 
True - that entity is not correct - will be fixed.

I agree that more coverage on multi byte encodings would be possible. And I 
have to say - we actually considered to add a Unicode chapter written by 
another author, but couldn't for various reasons. 

I hope it will make its way to the next issue of WAO. This topic is very 
complex but nevertheless definitely worth to be covered. I hope that particular 
paragraph made sure how those attacks play well together with the FF3 markup 
parser though.

Original comment by Mario.He...@googlemail.com on 3 Feb 2011 at 12:32