Unicode Transformations: Finding Elusive Vulnerabilities › › Unicode... · OWASP AppSecDC...
111
OWASP AppSecDC November 2009 Chris Weber [email protected] Casaba Security Unicode Transformations: Finding Elusive Vulnerabilities
Transcript of Unicode Transformations: Finding Elusive Vulnerabilities › › Unicode... · OWASP AppSecDC...
OWASP AppSecDCNovember 2009
Chris Weber
chriscasabasecuritycom
Casaba Security
Unicode Transformations Finding Elusive Vulnerabilities
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Visual spoofing and counterfeiting
bull Text transformation attacks
wwwcasabasecuritycom
Whatrsquos this about
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Why you should care about Visual Integrityhellip
ndash Branding
ndash Identity
ndash Cloud Computing ndash URIrsquos
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Good techniques for finding bugs
ndash Web-apps and clever XSS
ndash Test cases for fuzzing
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app testing for free
ndash httpwebsecuritytoolcodeplexcom
bull Unibomber
ndash Deterministic auto-pwn XSS testing
wwwcasabasecuritycom
What about tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Can you tell the difference
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Visual spoofing and counterfeiting
bull Text transformation attacks
wwwcasabasecuritycom
Whatrsquos this about
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Why you should care about Visual Integrityhellip
ndash Branding
ndash Identity
ndash Cloud Computing ndash URIrsquos
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Good techniques for finding bugs
ndash Web-apps and clever XSS
ndash Test cases for fuzzing
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app testing for free
ndash httpwebsecuritytoolcodeplexcom
bull Unibomber
ndash Deterministic auto-pwn XSS testing
wwwcasabasecuritycom
What about tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Can you tell the difference
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Why you should care about Visual Integrityhellip
ndash Branding
ndash Identity
ndash Cloud Computing ndash URIrsquos
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Good techniques for finding bugs
ndash Web-apps and clever XSS
ndash Test cases for fuzzing
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app testing for free
ndash httpwebsecuritytoolcodeplexcom
bull Unibomber
ndash Deterministic auto-pwn XSS testing
wwwcasabasecuritycom
What about tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Can you tell the difference
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Good techniques for finding bugs
ndash Web-apps and clever XSS
ndash Test cases for fuzzing
wwwcasabasecuritycom
What will you learn
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app testing for free
ndash httpwebsecuritytoolcodeplexcom
bull Unibomber
ndash Deterministic auto-pwn XSS testing
wwwcasabasecuritycom
What about tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Can you tell the difference
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app testing for free
ndash httpwebsecuritytoolcodeplexcom
bull Unibomber
ndash Deterministic auto-pwn XSS testing
wwwcasabasecuritycom
What about tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Can you tell the difference
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Can you tell the difference
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
How about now
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscrİptgt
becomes
ltscriptgt
wwwcasabasecuritycom
The TransformersWhen good input turns bad
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Agenda
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
ndash Watcher
ndash Unibomber
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Globalization
bull One framework for all languages
bull Storage and transmission of text
bull A large database
wwwcasabasecuritycom
Unicode Crash CourseWhat is Unicode
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull All software
bull All users
wwwcasabasecuritycom
Unicode Crash CourseThe Unicode Attack Surface
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash CourseUnthink it
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A large and complex standard
Unicode Crash Course
code pointsencodingscategorizationnormalizationbinary propertiescase mappingconversion tablesbi-directional properties
canonical mappingsdecomposition typescase foldingbest-fit mapping17 planesprivate use rangesscript blocks
escapings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Shift_jis
Gb2312
ISCII
Windows-1252
ISO-8859-1
EBCDIC 037
wwwcasabasecuritycom
Unicode Crash CourseCode pages and charsets
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode can represent them all
bull ASCII range is preserved
ndash U+0000 to U+007F are mapped to ASCII
wwwcasabasecuritycom
Unicode Crash CourseAd Infinitum
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode 51 uses a 21-bit scalar value with space for over 1100000 code points
U+0000 to U+10FFFF
wwwcasabasecuritycom
Unicode Crash CourseCode points
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
A = U+0041
Every character has a unique number
wwwcasabasecuritycom
Unicode Crash CourseCode Points
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
AU+0041
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Unicode Crash Course
ſU+017F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
UTF-8 ndash variable width 1 to 4 bytes (used to be 6)
UTF-16ndash Endianessndash Variable width 2 or 4 bytesndash Surrogate pairs
UTF-32ndash Endianessndash Fixed width 4 bytesndash Fixed mapping no algorithms needed
wwwcasabasecuritycom
Unicode Crash CourseEncodings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
U+FF21 FULLWIDTH LATIN CAPITAL LETTER A
EFBCA1
ampxFF21
amp65313
xEFxBCxA1
uFF21
wwwcasabasecuritycom
Unicode Crash CourseEncodings and Escape sequences
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash coursebull Root Causes
ndash Visual Spoofing and IDNrsquosndash Best-fit mappingsndash Normalizationndash Overlong UTF-8ndash Over-consumptionndash Character substitutionndash Character deletionndash Casingndash Buffer overflowsndash Controlling Syntaxndash Charset transformationsndash Charset mismatches
bull Tools
wwwcasabasecuritycom
Unicode TransformationsOverview
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Visual Spoofing and IDNrsquos
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Over 100000 assigned characters
bull Many lookalikes within and across scripts
AΑАᐱᗅᗋᗩᴀᴬA
wwwcasabasecuritycom
Root CausesVisual Spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpnottrustedcomidnphp
wwwcasabasecuritycom
Open your Web browserAnd follow along
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Some browsers allow COM IDNrsquos
based on script family
ndash (Latin has a big family)
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Opera
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwgooglecom is not wwwgooɡlecom
Latin U+0069
LatinU+0261
gɡ
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ICANN guidelines v20
ndash Inclusion-based
ndash Script limitations
ndash Character limitations
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
Deny-all default seems to be the right concept
A script can cross many blocks Even with limited script choices therersquos plenty to choose from
Great for domain labels but sub domain labels still open to punctuation and syntax spoofing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Divergent user-agent implementations
bull Lookalikes everywhere
bull IDNA and Nameprep based on Unicode 32
ndash Wersquore up to Unicode 51 (larger repertoire)
wwwcasabasecuritycom
Root CausesIDN ndash so whatrsquos the problem
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Registrars still allow
ndash Confusables
ndash Combining marks
ndash Single Whole and Mixed-script
bull Registrars canrsquot control
ndash Syntax spoofing in sub domain labels
wwwcasabasecuritycom
Root CausesThe state of International Domain Names
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Non-Unicode attacks
bull Confusables
bull Invisibles
bull Problematic font-rendering
bull Manipulating Combining Marks
bull Bidi and syntax spoofing
wwwcasabasecuritycom
Attack VectorsVisual spoofing Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
rn can look like m in certain fonts
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
wwwmulletscom is not wwwrnulletscom
Latin U+006D
LatinU+0073 U+006E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Are you using mono-width fonts
0 and O
1 and l
5 and S
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Classic long URLrsquos
httploginfacebookintvitationvideomessageid-
h048892r39sessionnfbidcomhomehtmdisbursements
wwwcasabasecuritycom
Attack VectorsNon-Unicode homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
wwwɑpplecom
All Latin using Latin small letter Alpha lsquoɑrsquo
wwwfaϲebookcom
Mixed LatinGreek with lunate sigma symbol lsquocrsquo
wwwаЬсcom
All Cyrillic lsquoabcrsquo
wwwcasabasecuritycom
Attack VectorsUnicode and The Confusables
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Browsers whitelist ORG
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Others donrsquot necessarily buthellip
wwwcasabasecuritycom
Attack VectorsIDN homograph attacks
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsIDN homograph attacks
wwwmozillaorg is not wwwmoziacutellaorg
Latin U+0069
LatinU+00ED
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(This case doesnrsquot work anymore)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
FULLWIDTH SOLIDUSU+FF0F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(Normalized to a U+002F)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecompathfilenottrustedorg
SOLIDUSU+002F
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
(However punctuation not requiredhellip)
wwwcasabasecuritycom
Attack VectorsIDN Syntax Spoofing with lookalikes
httpwwwgooglecomノpathノfilenottrustedorg
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsThe Invisibles
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack VectorsVisual Spoofing with Bidi Explicit Directional Overrides
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Best-fit Mappings
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Commonly occur in charset transformations and even innocuous APIrsquos
Impact Filter evasion Enable code execution
When σ becomes s
U+03C3 GREEK SMALL LETTER SIGMA
When prime becomes
U+2032 PRIME
wwwcasabasecuritycom
Root CausesBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Scrutinize charactercharset manipulation APIrsquos
bull Use EncoderFallback with SystemTextEncoding
bull Set WC_NO_BEST_FIT_CHARS flag with WideCharToMultiByte()
bull Use Unicode end-to-end
wwwcasabasecuritycom
Root CausesGuidance for Best-Fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull A popular social networking site in 2008
bull Implemented complex filtering logic to prevent XSS
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with best-fit mappings to leverage cross-site scripting
ndash Root Cause best-fit mappings
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
-moz-binding()
was not allowed buthellip
-[U+ff4d]oz-binding()
would best-fit map
wwwcasabasecuritycom
Case Study Social NetworkingBest-fit mappings
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalizing strings after validation is dangerous
Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesNormalization
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
İ becomes I +
wwwcasabasecuritycom
Root CausesNormalization
U+0130 U+0049 U+0307
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
But are there dangerous characters
You bethellip with NFKC and NFKD you could control HTML or other parsing
﹤ becomes lt
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
﹤ becomes lt
toNFKC(ldquo﹤scriptgtrdquo) = ldquoltscriptgtrdquo
wwwcasabasecuritycom
Root CausesNormalization
U+FE64 U+003C
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Overlong UTF-8
(Canonicalization)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Non-shortest or overlong UTF-8
Impact Filter evasion Enable code execution
Application gets C0A7
OSFramework sees 27
Database gets
wwwcasabasecuritycom
Root CausesNon-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode specification forbids
ndash Generation of non-shortest form
ndash Interpretation of non-shortest form for BMP
bull Validate UTF-8 encoding (throw on error)
wwwcasabasecuritycom
Root CausesGuidance for Non-shortest form UTF-8
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
How many ways can you say
wwwcasabasecuritycom
Attack VectorsDirectory traversal
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Attack Vectors
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Handling the Unexpected
(Good fuzzing test cases)
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unassigned code points
ndash U+2073
bull Illegal code points
ndash Half a surrogate pair
bull Code points with special meaning
ndash U+FEFF is the BOM
wwwcasabasecuritycom
Root CausesHandling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-Consumption
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Over-consuming ill-formed byte sequences
Big problem with MBCS lead bytes
lt41 C2 3E 41gt becomes
lt41 41gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltimg src=0xC2gt onerror=alert(1)ltbr gt
Browser sees
ltimg src=gt onerror=alert(1) gtltbr gt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Over-consumption
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Substitution
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Correcting insecurely rather than failing
ndash Substituting a lsquorsquo or a lsquorsquo would be bad
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-substitution
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Character Deletion
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ldquodeletion of noncharactersrdquo
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
ltscr[U+FEFF]iptgt becomes ltscriptgt
wwwcasabasecuritycom
Root CausesHandling the Unexpected Character-deletion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Fail or error
bull Use U+FFFD instead
ndash A common alternative is lsquorsquo which can be safe
wwwcasabasecuritycom
Root CausesSolutions for Handling the Unexpected
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Bypass filters WAFrsquos NIDS and validation
bull Exploit delivery techniques
ndash Eg Cross-site scripting
wwwcasabasecuritycom
Attack VectorsFilter evasion
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Safari and Firefox BOM consumption
ndash Attack Filter evasion code execution
ndash Exploit Bypass filtering logic with specially crafted strings to leverage cross-site scripting
ndash Root Cause Character deletion
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=ldquojava[U+FEFF]scriptalert(bdquoXSS‟)gt
wwwcasabasecuritycom
Case Study Apple and Mozilla
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
A Closer Look The BOM
BOMU+FEFF
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Upper and lower-casing can produce dangerous text
bull Casing can multiply the buffer sizes needed
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
toLower(ldquoİrdquo) == ldquoirdquo
toLower(ldquoscrİptrdquo) == ldquoscriptrdquo
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
len(x) = len(toLower(x))
wwwcasabasecuritycom
Root CausesCasing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Perform casing operations before validation
bull Leverage existing frameworks and APIrsquos
ndash ICU Net
wwwcasabasecuritycom
Root CausesGuidance for Casing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Buffer Overflows
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Incorrect assumptions about string sizes (chars vs bytes)
bull Improper width calculations
bull Impact Enable code execution
wwwcasabasecuritycom
Root CausesBuffer Overflows
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Casing - maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
Lower 8 15 Ⱥ U+023A
16 32 1 A U+0041
Upper 8 16 32 3 ΐ U+0390Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Normalization- maximum expansion factors
wwwcasabasecuritycom
Root CausesBuffer Overflows
Operation UTF Factor Sample
NFC8 3X 119136 U+1D160
16 32 3X ש U+FB2C
NFD8 3X ΐ U+0390
16 32 4X ᾂ U+1F82
NFKCNFKD8 11X
ملسو هيلع هللا ىلص U+FDFA16 32 18X
Source Unicode Technical Report 36
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Controlling Syntax
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull White space and line breaks
ndash Eg when U+180E acts like U+0020
bull Quotation marks
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesControlling Syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Manipulate HTML parsers and javascriptinterpreters
bull Control protocols
wwwcasabasecuritycom
Attacks and ExploitsControlling syntax
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode formatter characters exploited for XSS
ndash Damage Filter evasion controlling syntax
ndash Exploit Bypass filtering logic with specially crafted characters to leverage cross-site scripting
ndash Root Cause Interpreting ldquowhite spacerdquo
ndash A problem with HTML 40 spec
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
lta href=[U+180E]onclick=alert()gt
wwwcasabasecuritycom
Case Study Opera
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Case Study Opera
MVSU+180E
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Specifications
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
1) Character stabilityndash IDNANameprep based on Unicode 32
2) Designsndash Specs are carefully designed but not always perfect
bull This was a problemndash ldquoWhen designing a markup language or data protocol the use of
U+FEFF can be restricted to that of Byte Order Mark In that case any U+FEFF occurring in the middle of the file can be ignored or treated as an error rdquo
ndash HTML 401 bull Defines four whitespace characters and explicitly leaves
handling other characters up to implementer
wwwcasabasecuritycom
Root CausesSpecifications
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Transformations
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Converting between charsets is dangerous
bull Mapping tables and algorithms vary across platforms
bull Impact Filter evasion Enable code execution Data-loss
wwwcasabasecuritycom
Root CausesCharset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Avoid if possible
bull Use Unicode as the broker
bull Beware the PUA mappings
bull Transform case and normalize prior to validation and redisplay
wwwcasabasecuritycom
Root CausesGuidance for Charset Transformations
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
Charset Mismatches
wwwcasabasecuritycom
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Some charset identifiers are ill-defined
bull Vendor implementations vary
bull User-agents may sniff if confused
bull Attackers manipulate behavior
bull Impact Filter evasion Enable code execution
wwwcasabasecuritycom
Root CausesCharset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Root CausesCharset Mismatches
Content-Type charset=ISO-8859-1
ltmeta http-equiv=Content-Type content=texthtml charset=shift_jisgt
Attacker-controlled input
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Force UTF-8
bull Error if uncertain
wwwcasabasecuritycom
Root CausesGuidance for Charset Mismatches
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode crash course
bull Root Causes
bull Attack Vectors
bull Tools
wwwcasabasecuritycom
Unicode TransformationsAgenda
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Watcher
ndash Microsoft SDL recommended tool
ndash Passive Web-app security testing and auditing
bull Unibomber
ndash XSS autopwn testing tool
wwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Unicode transformation hot-spotsbull XSS hot-spotsbull User-controlled HTMLbull Cross-domain issuesbull Insecure cookiesbull Insecure HTTPHTTPS transitionsbull SSL protocol and certificate issuesbull Flash issuesbull Silverlight issuesbull Information disclosurebull Morehellip
wwwcasabasecuritycom
ToolsWatcher ndash Some of the Passive Checks Included
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weberwwwcasabasecuritycom
Tools
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
httpwebsecuritytoolcodeplexcom
wwwcasabasecuritycom
ToolsWatcher - Web-app Security Testing and Auditing
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
OWASP AppSecDC - November 2009 copy 2009 Chris Weber
bull Deterministic testing
bull Auto-inject payloads
bull Unicode transformers
ndash lt gt lsquo ldquo etc
bull Detect transformations and encoding hotspots
wwwcasabasecuritycom
ToolsUnibomberndash runtime XSS testing tool
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
Thank you
Casaba Security
wwwcasabasecuritycom
Chris Weber
Blog wwwlookoutnet
Email chriscasabasecuritycom
LinkedIn httpwwwlinkedincominchrisweber
