-
Archives
- November 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- September 2007
- April 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- April 2006
- August 2005
- April 2005
- March 2005
- March 2004
-
Meta
Tag Archives: testing
Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing
Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters – mainly lower and upper case letters, numbers, and some punctuation. IRI’s … Continue reading
Unicode attacks and test cases – Visual Spoofing, IDN homograph attacks, and the Whole Script Confusables
More on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post. To recap, the three classes of confusables are: Single-script Mixed-script Whole-script Whole-script confusables It’s starting to make sense now. Let’s look at the Unicode … Continue reading
Unicode attacks and test cases – Visual Spoofing, IDN homograph attacks, and the Mixed Script Confusables
More on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post. Mixed-script confusables These occur when letters from one alphabet or script, are used to give the same visual appearance as letters from a completely … Continue reading
Unicode attacks and test cases – Visual Spoofing, IDN homograph attacks, and the Single Script Confusables
More on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post. The Confusables These types of visual attacks are attributed to what’s known as ‘the confusables‘ and have been documented in Unicode’s Technical Report 36 … Continue reading
Unicode attacks and test cases – Visual Spoofing, IDN homograph attacks, and the Confusables
Let’s face it, playing tricks that mess with people’s perception can be fun. With Unicode, there’s lots of fun tricks to be had. What’s to stop someone from believing the following is what it appears to be: www.аmazon.com Looks like … Continue reading
32nd Internationalization and Unicode Conference
Just got back from the IUC in San Jose and wanted to post my slides.
Unicode root-cause security issues for generating test cases
When it comes to Unicode implementations, there’s a rich set of test cases to perform. Realizing it is the start. Automating it is the next step. Most Unicode-related security bugs can be categorized into the following root-causes: Canonicalization Interpreting non-shortest … Continue reading
CSS 2.1 escape sequences and encodings
I know there’s plenty of good work being done over at places like http://ha.ckers.com, and http://www.thespanner.co.uk/. I have been researching CSS 2.1 and testing some very thorough and complex HTML and CSS filters myself, and trying to find the stuff … Continue reading
Firefox renders xmlns xhtml in favor of XSS
My colleague John Hernandez showed me this trick the other day, which has proven useful as an exploit in many cases. If the site returns XML with a Content-Type: text/xml you’d normally think there’s not much script injection potential. However … Continue reading
IIS 6.0 %uNNNN unicode notation in the URL
I do a lot of web app pen testing. Character encoding is always an important part of many input validation test cases. Some people don’t realize that IIS takes straight unicode notation in the URL by default. So you can … Continue reading