Unicode Encoding for Bypassing XSS Filters

Posted by: Barracuda labs

Unicode encoding-based filter evasions have been around for years and we thought web developers would write filters to cover it all. However, it seems that is not true.  The new round has come with Arian Evans and Jeremiah Grossman testing a unicode-encoded left (%u00AB) and right (%u00BB) angle quotation mark for getting around XSS filters. They hinted at it 2 years ago but did not get a chance to actually testing it until now (nobody else did either as there is no mention of it on the XSS cheat sheet).

According to their post on webappsec mailing list, unicode left and right angle quotation marks sometimes get translated into ‘<’ and ‘>’, respectively. This would allow inclusion of arbitrary html contents on a web page and hence javascript too (e.g. %u00ABscript%u00BB). They tested around 300 to 1000 websites and found about 44 of them vulnerable to this evasion technique, with 200 locations and 1000+ input variables to attack! What is noticeable is they only counted those sites where this was the only way to evade so there might be many more where this would have worked along with others.

Lessons learned, security is a state at a given time. Once achieved it does not hold forever. You need to constantly evaluate and update it to counter new attacks.