NoScript New Bypass Method by Unicode in ASP


NoScript v2.0.2.3 does not have this problem anymore. I’m happier now. tnx to its clever author.

As I told Giorgio, all the problems will be reported to him first ;) 

Woohoo! You/We/They/or whatever! can still use unicode in some places!

NoScript cannot find out special unicode characters which mean something in ASP:

PoC:‘alert’%2b'(“NoScript Bypass in ASP!\\nBy Soroush Dalili”)’)%u2329/scr%u0131pt%u232A

In this example I selected the characters from: . For instance:
%u2329 = <
%u0131 = i
%u232A = >
%u212F = e
From Microsoft point of view! Therefore, IE8 XSS prevention can detect this encoding and NoScript cannot detect it.

4 thoughts on “NoScript New Bypass Method by Unicode in ASP

  1. Soroush Dalili Post author

    @Fabio: If you validate all of your user’s input data, there is no need to worry about an XSS attack. Whenever ASP receives these special encoded characters, it converts them to the final shape from the first. In other words, ASP does not even know that someone sends an encoded message for it, because it can only see the final converted characters. For example, if you send “%u2329” to an ASP file, there is not any normal way in this ASP file to reach to the exact UTF16 value, and you can only see “<" character. (If you capture whole of QUERY_STRING completely, it is possible to detect receiving "%u2329" value) @Rushyo: I'll do it next time dude :)

Comments are closed.