WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Extended ASCII characters used for injection

From: Simon XanthiX <xanthix () gmail com>
Date: Tue, 19 Oct 2010 16:01:24 +0200
Hi,

I don't know if it still works, but I remember, that (probably only
older versions and/or already fixed) MS IE ignores most significant
bit in the ASCII octet when interpreting the HTML content as US-ASCII.
Hence, it is/was possible to encode HTML metacharacters < and > (with
corresponding ordinal value 60 and 62) as 60+128 and 60+128. As I
mentioned, I am not sure if it still works, but at least it might be
of your interest.

Regards,

XtX.

On Tue, Oct 19, 2010 at 3:06 PM, Nibbler <enibbler () gmail com> wrote:

Hi list,

I have a web app and I want to block special characters in URL on the
web server. Do you know if there is a risk of injection (XSS...) with
extended ASCII char (%7f-%ff)?
Is there any reason to block these characters?

Thanks
Regards,
Nib



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------






This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: