Paid Advertising
web application security lab
« Wall Street Journal Article on Google Desktop
Practical Anti-DNS Pinning Writeup »

Charset Vulnerability Map

I’ve been meaning to do this for a lonnnng time, but I finally got around to building a map of vulnerable charsets (that I know of). This is nowhere near complete, and lots of this has yet to be tested but what I have mapped out I do know to have at least one vulnerability (variable width encoding, or some other selected encoding attack against normal anti-XSS filters). Click here for the list. I must stress that not nearly enough work has been done in this area.

From the results I’ve found thus far (and again, lots more to do) it appears that Opera is the least vulnerable, Firefox second, and IE7.0 coming in a distant third. Just because something isn’t marked doesn’t mean it’s secure, I just haven’t found anything that immediately worked. I welcome other people to help out on anything else I’ve missed because I know there’s more out there. Every time I look at this I find more. Anyway, I wanted to share it with everyone, let me know what you think.

This entry was posted on Thursday, March 8th, 2007 at 1:08 pm and is filed under XSS, Webappsec. You can leave a response as well.

4 Responses to “Charset Vulnerability Map”

  1. kanedaaa Says:
    March 8th, 2007 at 3:53 pm

    Upgrade Your Opera to 9.10. Its stable version :]]]

  2. Andrew van der Stock Says:
    March 8th, 2007 at 5:16 pm

    Safari 2.0.4 has the following issues (using the charset map pages)

    ISO 8859-11 and -14 turned blank
    UTF16 turned gibberish in browser, XSS worked
    UTF16BE turned gibberish in browser, XSS worked
    UTF16le turned gibberish for encoding page, XSS worked

    Firefox 2.0.0.2 is vulnerable to the following attacks:

    EUC-JP (just char 143)
    HZ-GB 2312 (chars 126-255)
    Shift JIS (chars (chars 129-252)
    UTF16, BE and LE turned into what seems to be Chinese gibberish
    UTF16 and BE XSS attack worked (but not LE)
    UTF 32BE and 32LE ditto (but not UTF 32) turned into lots of ? marks
    UTF7 no chars displayed, XSS worked

    Repro steps:

    Fire up browser and point to attack page
    Run through each of the linked attacks for XSS attacks
    Run through every single encoding for variable width issues

    Andrew

  3. Chris_B Says:
    March 8th, 2007 at 5:34 pm

    No Safari tests yet?

  4. RSnake Says:
    March 9th, 2007 at 9:05 am

    @ Andrew - thanks! Very helpful.

    @ Chris - there are two problems with me testing Safari. 1) Safari doesn’t make up a sizable market share yet. 2) I don’t have a Mac. Number 2 is the biggie here, so unless someone wants to donate a Mac to the cause, I’m pretty much incapable of doing the tests myself. :)

Leave a Reply Or Discuss On the Forums