Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard, and formalized in [...]
Tagged confusables, testingMore on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post.
Mixed-script confusables
These occur when letters from one alphabet or script, are used to give the same visual appearance as letters from a completely different script. For example, the following words contain a mix of Latin and Cyrillic letters [...]
Adobe released a patch and bulletin for an issue I reported back in May. The issue is really in WebKit, and many products seem to be affected.
A vulnerability has been identified in Adobe AIR 1.1 and earlier that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. [...]
When it comes to Unicode implementations, there’s a rich set of test cases to perform. Realizing it is the start. Automating it is the next step.
Most Unicode-related security bugs can be categorized into the following root-causes:
Canonicalization
Interpreting non-shortest form (e.g .UTF-8 encoding trickery)
Other decoding issues
Absorption (over-consumption)
Over-consuming invalid byte sequences or correcting rather than failing
When [...]
So we want to fuzz something SOAPy, again. Well here’s how we’re gonna do it. The approach I like to take with clients is a gray-box, or code-assisted penetration testing. Gray box analysis is a powerful technique combining input testing with source analysis, runtime tracing, profiling, and debugging to identify real issues [...]
Tagged fuzzing, web servicesIs it worth the time to run input fuzzing tests against web services? When engaging a client for a security review I’m often the one to pose this question. Sure, why not… right? Well honestly there’s a more precise way to answer this question. First we really need to understand the [...]
Tagged fuzzing, web servicesWhen testing for XSS (cross-site scripting) issues, you often need to bypass filters and perform different sorts of encodings and other trickery. To be a good tester you also need to know how the browsers you’re concerned with behave differently. In Internet Explorer 6.0 there’s a behavior that’s allowed seemingly impassible input validation [...]
Tagged browser, XSSI do a lot of web app pen testing. Character encoding is always an important part of many input validation test cases. Some people don’t realize that IIS takes straight unicode notation in the URL by default. So you can pass in unicode characters just by typing the proper notation in ASCII [...]
Tagged testing, Unicode, XSS