Monthly Archives: March 2009

Advisory: Lenovo/IBM ActiveX buffer overflow

Posted on March 27, 2009 by Chris Weber

CERT released the advisory for this, which I believe is not being fixed by Lenovo/IBM. http://www.kb.cert.org/vuls/id/340420 This ActiveX control comes preinstalled on many Lenovo systems, and is also downloaded from the main page of their support site. It’s a nasty … Continue reading →

Posted in advisory | Tagged ActiveX | Leave a comment

Detecting ill-formed UTF-8 byte sequences in HTML content

Posted on March 25, 2009 by Chris Weber

One issue I’ve come across, pretty infrequently, is the existence of ill-formed UTF-8 byte sequences in HTML content. As far as I can tell nobody’s every really tried to find this type of bug. Huh, so what’s up? UTF-8 is … Continue reading →

Posted in Unicode | Tagged encoding, encodings, UTF8 | Leave a comment

Watcher: a free web-app security vulnerability scanner

Posted on March 14, 2009 by Chris Weber

I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09 yesterday. Check out his talk at http://videos.visitmix.com/MIX09/T54F it’s an eye opener for Web developers – … Continue reading →

Posted in Web, security, testing | Tagged Watcher | Leave a comment

Unicode security attacks and test cases: character mappings and normalization for testing

Posted on March 12, 2009 by Chris Weber

Point: Normalizing strings after validation is dangerous Impact: filter evasion, enabling code execution Are you testing a Web or other application in attempt to bypass restrictions on domain names? For example, what if you were testing a phishing filter and … Continue reading →

Posted in Web, testing | Tagged normalization | Leave a comment

Uniview character lookup tool

Posted on March 12, 2009 by Chris Weber

Richard Ishida has an online character lookup tool which is very nice. It’s called Uniview and it’s comparable to Babelmap in some functionality but it’s available online if that’s useful to you. If you’re looking to use any of the … Continue reading →

Posted in security | Leave a comment

Presenting IDN spoofing threats to ICANN’s security committee

Posted on March 5, 2009 by Chris Weber

I had the chance to present to the ICANN Security and Stability Advisory Committee during their ICANN Mexico conference. It was an opportunity to give a portion of my upcoming presentation on Exploiting Unicode-enabled Software, focusing just on IDN visual … Continue reading →

Posted in Unicode, Web | Tagged IDN, spoofing | Leave a comment