[Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?
Arian J. Evans
arian.evans at anachronic.com
Sun Jun 7 02:39:55 BST 2009
On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<chris at casabasec.com> wrote:
> Your discussion point #2 seems to digress, talking about the confusables and
> lookalikes don't seem to lend to the original subject. Unless, you're
> suggesting that they somehow add to the canonicalization of strings that
> White Hat is seeing?
Yes, that is exactly what I am saying.
It is much easier to inject a CAST or a SELECT past a blacklist if
there are multiple characters canonicalized to As and Es in the
And the same goes for things like double-quotes. Many (most?) language
character sets have confusables and false-familiars with U000/001
Unicode, and Latin/ASCII, and sometimes they are canonicalized as
I have nothing that tells me, when I see a character conversion, if it
is a "best fit" mapping or an attempt to canonicalize confusables or
avoid name collision. So I put them all in the same bucket in terms of
A developer using unicode would probably not put them in the same bucket.
Full-Disclosure is hosted and sponsored by Secunia.