Hi,
I've found that the two methods you described work, e.g. using HTML such as
this:
If this text is orange and an alert appears, the obfuscated JS in the CSS
was evaluated
and a CSS file like this:
---ascii.css---
@charset "US-ASCII";
óðáîûãïìïòº ïòáîçå»
TECTED]
Sent: Friday, 23 June, 2006 6:12:13 PM
Subject: Re: Bypassing of web filters by using ASCII
On 23 Jun 2006 at 10:35, Vincent Archer wrote:
> On Fri, Jun 23, 2006 at 12:08:56AM +0200, Amit Klein (AKsecurity) wrote:
> > So what I don't understand now is why IE's "sol
Both of those would work in the case where the charset has
already been set by the server. The problem is that most servers set a
charset by default. The other bigger problem is that both of those (and
the META one) require that you inject HTML into the page to get it to
work. If you c
On 23 Jun 2006 at 7:55, James C. Slora Jr. wrote:
> Amit Klein wrote Thursday, June 22, 2006 3:47 AM
>
> > So in order to exploit this in HTML over HTTP, the attacker needs to
> either add/modify the Content-Type response header, or to add/modify the
> META tag in the HTML page.
>
> There are ot
Am Mittwoch, 21. Juni 2006 15:11 schrieb [EMAIL PROTECTED]:
[...]
> Product : Microsoft InternetExplorer 6
[...]
> Of the tested browsers Firefox 1.5, Opera 8.5 and InternetExplorer 6,
> only the InternetExplorer does this correctly, the others evaluate the
> bit and display the cha
Hubert Seiwert wrote Monday, June 26, 2006 1:57 PM
> I don't currently see how this "ascii vulnerability" would make code
> injection possible on webservers where the Content-Type is not
> US-ASCII already, as the 3 methods mentioned to change the charset
> (http-equiv content-type header, CSS
On Fri, Jun 23, 2006 at 05:12:13PM +0200, Amit Klein (AKsecurity) wrote:
> On 23 Jun 2006 at 10:35, Vincent Archer wrote:
> > The same problem did exist in RFC821, which specified the data path as
> > being 7-bit, with the MSB set to 0. The venerable ancestor sendmail did
> > enforce that, by and-i
On 6/21/06 3:24 PM, "Paul" <[EMAIL PROTECTED]> spoketh to all:
>>> At
>>>
>>>
>>> http://www.iku-ag.de/ASCII
>>>
>>>
>>> you can find a test page that displays a secret message. IE6 displays
>>>
>>> the text correctly, Firefox 1.5 and Opera 8.5 display glibberish text.
Safari 2.0.3 a
On 23 Jun 2006 at 10:35, Vincent Archer wrote:
> On Fri, Jun 23, 2006 at 12:08:56AM +0200, Amit Klein (AKsecurity) wrote:
> > So what I don't understand now is why IE's "solution" is any better than
> > Opera/Firefox?
> >
> > Why is modifying the data (msb) any better than modifying the
> > dat
Amit Klein wrote Thursday, June 22, 2006 3:47 AM
> So in order to exploit this in HTML over HTTP, the attacker needs to
either add/modify the Content-Type response header, or to add/modify the
META tag in the HTML page.
There are other ways that might carry a bigger injection threat:
Style sheet
On 21 Jun 2006 at 13:11, [EMAIL PROTECTED] wrote:
>
> 1. problem description
>
> The character set ASCII encodes every character with 7 bits. Internet
> connections transmit octets with 8 bits. If the content of such a
> transmission is encoded in ASCII, the most significant bit must be ignored.
Agreed, nice find. Here are some perl scripts to do the transcoding (I called
it asciilate.pl):
#!/usr/bin/perl -n
#enable 8th bit on ascii characters sent to stdin, output to stdout
foreach $c (split//,$_) {print chr(ord($c)+128)}
#!/usr/bin/perl
#as above, add content-type header to make it wo
imipak schrieb:
> Hmmm, I just noticed Firefox's Accept-Charset header doesn't include
> ASCII. Does the HTTP spec say that ASCII is the default charset?
No, it's ISO-8859-1. According to
http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-035.pdf
Page 27 (37):
"11.2 Transformatio
On 21 Jun 2006 at 18:24, Paul wrote:
> Very interesting, indeed. Does this work with functional characters
> such as html brackets? What about html tag obfuscation (bypassing
> script filters such as those in place at hotmail)?
>
Notice that in order for this trick to work, the charset should be
RSnake schrieb:
>
> Jeremiah Grossman and I were able to get a proof of concept
> working based off of Kurt's work that actually runs a simple piece of
> JavaScript in IE, without using open or close angle brackets. Here's
> the link to the post:
>
> http://ha.ckers.org/blog/20060621/us-asci
Jeremiah Grossman and I were able to get a proof of concept
working based off of Kurt's work that actually runs a simple piece of
JavaScript in IE, without using open or close angle brackets. Here's
the link to the post:
http://ha.ckers.org/blog/20060621/us-ascii-xss-part-2/
I
Paul schrieb:
> Very interesting, indeed. Does this work with functional characters
> such as html brackets? What about html tag obfuscation (bypassing
> script filters such as those in place at hotmail)?
This works for the whole set of ASCII characters. I was able to create a
HTML page where the
Very interesting, indeed. Does this work with functional characters
such as html brackets? What about html tag obfuscation (bypassing
script filters such as those in place at hotmail)?
Nice find.
Paul
On 6/21/06, Fixer <[EMAIL PROTECTED]> wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
T
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This also affects IE 7 Beta 2.
Did you shoot this over to Microsoft?
[EMAIL PROTECTED] wrote:
> ___
>
>
>iKu Advisory
>
> _
___
iKu Advisory
___
Product : Microsoft InternetExplorer 6
: various filter applications
Dat
20 matches
Mail list logo