WebApp Sec mailing list archives
Re: Extended ASCII characters used for injection
From: Simon XanthiX <xanthix () gmail com>
Date: Tue, 19 Oct 2010 16:01:24 +0200
Hi, I don't know if it still works, but I remember, that (probably only older versions and/or already fixed) MS IE ignores most significant bit in the ASCII octet when interpreting the HTML content as US-ASCII. Hence, it is/was possible to encode HTML metacharacters < and > (with corresponding ordinal value 60 and 62) as 60+128 and 60+128. As I mentioned, I am not sure if it still works, but at least it might be of your interest. Regards, XtX. On Tue, Oct 19, 2010 at 3:06 PM, Nibbler <enibbler () gmail com> wrote:
Hi list, I have a web app and I want to block special characters in URL on the web server. Do you know if there is a risk of injection (XSS...) with extended ASCII char (%7f-%ff)? Is there any reason to block these characters? Thanks Regards, Nib This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Extended ASCII characters used for injection Nibbler (Oct 19)
- Re: Extended ASCII characters used for injection Mostafa Siraj (Oct 19)
- RE: Extended ASCII characters used for injection Onken, Skyler (Oct 19)
- Re: Extended ASCII characters used for injection Simon XanthiX (Oct 19)
- Re: Extended ASCII characters used for injection john s (Oct 19)
- RE: Extended ASCII characters used for injection Chris Weber (Oct 20)
- Re: Extended ASCII characters used for injection Jeff Williams (Oct 20)
- RE: Extended ASCII characters used for injection Linden Darling (Oct 20)
- RE: Extended ASCII characters used for injection Richard M. Smith (Oct 25)
- Re: Extended ASCII characters used for injection john s (Oct 25)
- RE: Extended ASCII characters used for injection Chris Weber (Oct 25)
- Re: Extended ASCII characters used for injection john s (Oct 25)
- Re: Extended ASCII characters used for injection Jeff Williams (Oct 20)