AOH :: HP Unsorted B :: B06-4182.HTM

Bypassing script filters with variable-width encodings
Bypassing script filters with variable-width encodings
Bypassing script filters with variable-width encodings

Bypassing script filters with variable-width encodings

Author: Cheng Peng Su (
Date: August 7, 2006

We've all known that the main problem of constructing XSS attacks is
how to obfuscate malicious code. In the following paragraphs I will

attempt to explain the concept of bypassing script filters with
variable-width encodings, and disclose the applications of this
concept to

Hotmail and Yahoo! Mail web-based mail services.

Variable-width encoding Introduction
A variable-width encoding(a.k.a variable-length encoding) is a type of
character encoding scheme in which codes of differing lengths are

used to encode a character set. Most common variable-width encodings
are multibyte encodings, which use varying numbers of bytes to encode

different characters. The first use of multibyte encodings was for the
encoding of Chinese, Japanese and Korean, which have large character

sets well in excess of 256 characters. The Unicode standard has two
variable-width encodings: UTF-8 and UTF-16. The most commonly-used

codes are two-byte codes. The EUC-CN form of GB2312, plus EUC-JP and
EUC-KR, are examples of such two-byte EUC codes. And there are also

some three-byte and four-byte codes.

Example and Discussion
The following is a php file from which I will start to introduce my idea.


not "
      // NOTE: 5 space characters following the last \"
\r\n\r\n"; } ?> ------------------------------------------------------------------------- For most values of $i, Internet Explorer 6.0(SP2) will display "Char XXX is not available". When $i is between 192(0xC0) and 255(0xFF), you can see "Char XXX is available". Let's take $i=0xC0 for example, consider the following code: Char 192 is not available 0xC0 is one of the 32 first bytes of 2-byte sequences (0xC0-0xDF) in UTF-8. So when IE parses the above code, it will consider 0xC0 and the following quote as a sequence, and therefore these two pairs of FONT elements will become one with "xyz[0xC0]">not
message. Supposing it use UTF-8, we can attack by sending [font=xyz[0xC0]]buried[/font][font=abc onmouseover=alert() s=[0xC0]]exploited[/font] And it will be tranformed into buriedexploited Again, the exploitation is very flexible, this FONT-FONT example is just an enlightening one. The following exploitaion to Yahoo! Mail is quite different from this one. Disclosure ========= Using this method, I have found two XSS vulnerabilities in Hotmail and Yahoo! Mail web-based mail services. I informed Yahoo and Microsoft on April 30 and May 12 respectively. And they have patched the vulnerabilities. Yahoo! Mail XSS --------------- Before I discovered this vulnerability, Yahoo! Mail filtering engine could block "expression()" syntax in a CSS attribute using a comment to break up expression( expr/* */ession() ). I used [0x81] with the following asterisk to make a sequence, so that the second */ would close the comment. But the filtering engine considered the first two comment symbol as a pair. -------------------------------------------------------------------- MIME-Version: 1.0 From: user Content-Type: text/html; charset=GB2312 Subject: example exploited . -------------------------------------------------------------------- Hotmail XSS ----------- This exploitation is almost the same as the example.php. -------------------------------------------------------------------- MIME-Version: 1.0 From: user Content-Type: text/html; charset=SHIFT_JIS Subject: example exploited . -------------------------------------------------------------------- Reference ======== Wikipedia:Variable-width encoding( RFC 3629, the UTF-8 standard( RSnake:XSS Cheat Sheet( ( Original text: )

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to