[Full-disclosure] [WEB SECURITY] Unicode Left/Right Pointing Double Angel Quotation Mark bypass?

[Arian J. Evans]

On Sat, Jun 6, 2009 at 5:43 PM, Chris Weber<chris at casabasec.com> wrote:


> Your discussion point #2 seems to digress, talking about the confusables and
> lookalikes don't seem to lend to the original subject.  Unless, you're
> suggesting that they somehow add to the canonicalization of strings that
> White Hat is seeing?

Yes, that is exactly what I am saying.

It is much easier to inject a CAST or a SELECT past a blacklist if
there are multiple characters canonicalized to As and Es in the
application.

And the same goes for things like double-quotes. Many (most?) language
character sets have confusables and false-familiars with U000/001
Unicode, and Latin/ASCII, and sometimes they are canonicalized as
such.

I have nothing that tells me, when I see a character conversion, if it
is a "best fit" mapping or an attempt to canonicalize confusables or
avoid name collision. So I put them all in the same bucket in terms of
security measurement/classification.

A developer using unicode would probably not put them in the same bucket.

-ae