Re: Bypassing of web filters by using ASCII

[Kurt Huwig <k.huwig () iku-ag de>]

Paul schrieb:
> Very interesting, indeed. Does this work with functional characters
> such as html brackets? What about html tag obfuscation (bypassing
> script filters such as those in place at hotmail)?

This works for the whole set of ASCII characters. I was able to create a
HTML page where the MSB was set on all bytes of the file, i.e. also all
brackets, and it worked fine with IE.

I did not check hotmail's script filters.

> Nice find.

Thanks. I happened to read Wikipedia's ASCII page on my lunch time and
stumbled upon

"the eighth bit was commonly used as a parity bit for error checking on
communication lines or other device-specific functions. Machines which
did not use parity typically set the eighth bit to zero, though some
systems such as Prime machines running PRIMOS set the eighth bit of
ASCII characters to one."

Then I was curious what our browsers do with this. The hardest thing was
to get the test page up; the PrintWriter used by JSP deletes the MSB, so
I had to use a servlet.
-- 
Kurt Huwig             iKu Systemhaus AG        http://www.iku-ag.de/
Vorstand               Am Römerkastell 4        Telefon 0681/96751-0
                       66121 Saarbrücken        Telefax 0681/96751-66
GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940  EB6D 4C32 F908 99DD 9468

Attachment: signature.asc
Description: OpenPGP digital signature