Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bypassing WAF with full-width Unicode encoding?
Posted by: trev
Date: May 15, 2007 06:53AM

Does somebody understand what http://www.gamasec.net/english/gs07-01.html talks about? I tried using the characters listed on [www.alanwood.net], the browser simply interprets them as text. What is this good for?

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: lpilorz
Date: May 15, 2007 01:15PM

Maybe it's about some other attacks than XSS. Firefox does not interpret those bytes as HTML special chars, and IE+Opera seem to misunderstand them completely.



Edited 1 time(s). Last edit at 05/15/2007 01:24PM by lpilorz.

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: lpilorz
Date: May 15, 2007 01:54PM

I have an idea, but I don't think it's the only reason behind this advisory. If some WAF is all the XSS defense an application has, it could be bypassed e.g. if there is encoding conversion with TRANSLIT:

http://lukasz.pilorz.net/testy/full_width_utf/index.phps

Result:

http://lukasz.pilorz.net/testy/full_width_utf/index.php

I wouldn't say it's WAF that's guilty in such case , so I don't think it was the real reason.

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: Anonymous User
Date: May 15, 2007 03:02PM

Yeah indeed, there should be some encoding taking place lpilorz.
Interesting idea though.

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: lpilorz
Date: May 21, 2007 03:48PM

http://www.cgisecurity.com/2007/05/21

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: digi7al64
Date: May 21, 2007 06:40PM

Ok, just tested this on IIS 6.0 (ASP vanilla) and whilst it is an issue I really don't think it should be that big a deal.

For instance in asp/net you can simply encode all user output to the screen using server.htmlencode("<script>") which would change

%uff1cscript%uff1Ealert('hello')%uff1c/script%uff1E

to

&lt;script&gt;alert('hello')&lt;/script&gt;

if you don't encode then it gets converted to

<script>alert('hello')</script>

So the issue here is that in instance where the site does not encode the output but rather filters content based on specific characters, say < or > for instance then we can bypass the filter.

But... as it turns out i have always encoded user input before echo'ing input to the screen so this "vun" is not really a "vun" for me.

UPDATE: Tested using .net 2.0 and even without encoding the output it wasn't an issue.


So basically, this is really only a vun if you are sanitizing input via a WAF or IDS.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'



Edited 2 time(s). Last edit at 05/21/2007 06:53PM by digi7al64.

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: Anonymous User
Date: May 23, 2007 05:58AM

Just for the record - PHP IDS recognizes those chars...

http://phpids.heideri.ch/?test=%uff1cscript%uff1Ealert('hello')%uff1c/script%uff1E

(third rule...)

Greetings,
.mario

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: lpilorz
Date: May 23, 2007 02:59PM

Maybe someone will find it useful - these Unicode chars may be converted to special chars (<,>,',"):
http://lukasz.pilorz.net/testy/unicode_conversion/

The first two are the most interesting, because they exist in ISO-8859-1, but no other popular single-byte encoding.

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: kishord
Date: May 24, 2007 06:08AM

If anyone wants to try it on .NET + IIS

http://wasjournal.blogspot.com/2007/05/bypassing-waf-with-full-width-unicode.html


The other string that worked for me is
%EF%BC%9Cscript%EF%BC%9Ealert(123)%EF%BC%9C/script%EF%BC%9E

Web Application Security Journ(ey)al

Options: ReplyQuote
Re: Bypassing WAF with full-width Unicode encoding?
Posted by: Anonymous User
Date: May 24, 2007 10:19AM

@Ipilorz: Thanks! I was googling for exact that kind of table ;)



Edited 1 time(s). Last edit at 05/24/2007 03:18PM by .mario.

Options: ReplyQuote


Sorry, only registered users may post in this forum.