Cenzic 232 Patent
Paid Advertising
web application security lab
« IE7.0 Detector
Gaiaworm v3 »

ISO-8895-1 Vulnerable in Firefox to Null Injection

This is one of the weirder vectors I’ve come across in a while, but since I’ve been the one touting the virtues of ISO-8895-1 for the last several months since we found all the issues in UTF-8 and US-ASCII I thought I should be fair and report another issue I came across. I was toying with the old UTF-16 vector today and randomly started iterating through other encoding methods in Firefox, when I came across another issue.

Internet Explorer has always allowed nulls anywhere you want in the code and it is gracefully ignored. Firefox, however, in all other cases other than UTF-16 (and who uses that anyway) breaks if you try to change the vector by adding nulls. So it appears that ISO-8895-1 was safe for Firefox from null injection. Until today that is. The code for this is very simple:

iso-8895-1 firefox XSS vector
Click to enlarge

Interesting… I’m not sure how useful it is, since it appears to be highly touchy in the amount of characters precede it and what exactly precedes it, but nevertheless I thought I should be full disclosure since I was the one who was touting it as more secure than UTF-8.

This entry was posted on Saturday, February 10th, 2007 at 9:21 pm and is filed under XSS, Webappsec. Responses are currently closed, but you can trackback from your own site.

8 Responses to “ISO-8895-1 Vulnerable in Firefox to Null Injection”

  1. Edward Z. Yang Says:
    February 10th, 2007 at 9:34 pm

    Mmm… isn’t working for me: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 - Build ID: 2006120418

    When I view source the closing script tag is red (signifying an error), which is interesting.

  2. RSnake Says:
    February 10th, 2007 at 9:40 pm

    That’s very strange. I’m using and just checked again: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

  3. Edward Z. Yang Says:
    February 10th, 2007 at 9:48 pm

    Well, part of the thing is that my version of Firefox is identifying the page as “UTF-16BE”, not ISO 8859-1 (probably because of the byte order mark you’ve inserted in there). Loading the page in a clean profile yields similar effects.

  4. RSnake Says:
    February 10th, 2007 at 10:44 pm

    Interesting… it’s switching it to UTF-16BE to me as well (despite the fact that my headers specifically say ISO-8895-1), but I can definitely see it firing. Can you still not?

  5. Vinicius K-Max Says:
    February 11th, 2007 at 6:09 am

    i’m vulnerable.

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9

  6. zeulus Says:
    February 11th, 2007 at 7:27 am

    Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 - works, identified as UTF-16BE. Works also in Opera (Opera/9.10 (Windows NT 5.1; U; pl), compilation 8679) in UTF-16, not in ISO-8859-1 (þÿalert(”XSS”)).

  7. Chris Shiflett Says:
    February 11th, 2007 at 1:25 pm

    Your code uses ISO-8895-1, but just to be clear, do you mean ISO-8859-1?

  8. RSnake Says:
    February 11th, 2007 at 1:38 pm

    ah-ha! No, I typoed it several times… when I change it to 8859 (as it should be) it no longer works! So in the absence of a proper header it attempts to guess. Very interesting….. Whew, that’s one less thing to worry about actually.