Jeremiah Grossman and I spent some time looking at the exploit that Kurt Huwig found using malformed ASCII chars to bypass filters. We were able to actually turn this into HTML that will run, without using open and close angle brackets. In IE click here to run the proof of concept XSS (notice that the script tags are not encapsulated by valid ASCII chars).
The trick here is the encoding, we found. Unfortunately the scariness of this exploit is actually not as dramatic as we originally thought it may be, because it requires the US-ASCII char encoding to be set. After just a few minutes we had a working pototype and we even got XSSs working through the script.
So then we ran a scan of ~500 domains and found that only about 1% of the domains had this in them. So as a viable attack vector, sure, it’s possible that some servers (Kurt runs Tomcat, so maybe that one?) may be vulnerable in the way they are set up for any IE users who happen to use their sites.
A more viable possible problem is that content filters, anti-virus and other tools that monitor inbound packets will not see this encoding method. Any virii payloads, or otherwise blocked content like spam could easily follow this encoding method and travel unstopped to the browser, whereby they would be rendered as you would expect. Pretty scary stuff, actually.
Thanks to Jeremiah for his help in this blog post!