[Webkit-unassigned] [Bug 66588] New: XSS filter bypass via non-standard URL encoding

Fri Aug 19 14:07:01 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66588

           Summary: XSS filter bypass via non-standard URL encoding
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: abarth at webkit.org
                CC: dbates at webkit.org
        Depends on: 66579

(I thought this bug was filed somewhere already, but I couldn't find it.)

Quoting Wikipedia:

[[
There exists a non-standard encoding for Unicode characters: %uxxxx, where xxxx is a Unicode value represented as four hexadecimal digits. This behavior is not specified by any RFC and has been rejected by the W3C. The third edition of ECMA-262 still includes an escape(string) function that uses this syntax, but also an encodeURI(uri) function that converts to UTF-8 and percent-encodes each octet.
]]
-- http://en.wikipedia.org/wiki/Percent-encoding#Non-standard_implementations

It turns out ASP (or possibly ASP.NET) servers decode these sequences, which leads to an XSS filter bypass because we don't understand that transformation.  ASP servers are a large enough population that it's probably worth teaching the XSS auditor to understand this case.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.