44445 – Reflective XSS Protection and ASP unicode messing

UNCONFIRMED44445

Reflective XSS Protection and ASP unicode messing

https://bugs.webkit.org/show_bug.cgi?id=44445

Summary Reflective XSS Protection and ASP unicode messing

Giovanni Bajo

Reported 2010-08-23 11:39:49 PDT

The Reflective XSS Protection currently present in Chrome/Webkit fails to handle a weird unicode "pruning" made by ASP servers (where they substitute omoglyphs). The issue is well detailed in this blog post: http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/

Attachments
Add attachment proposed patch, testcase, etc.

Adam Barth

Comment 1 2010-08-23 12:08:13 PDT

We could normalize these before comparison, but there's a long tail of complex transformations like this. It's unclear whether we're better off chasing that tail or letting these folks realize that magically substituting one character for another is a bad idea.

Note You need to log in before you can comment on or make changes to this bug.

Status UNCONFIRMED

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS OS X 10.5

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2010-08-23 11:39 PDT

Modified

2010-08-23 12:08 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks