Update:
NoScript v2.0.2.3 does not have this problem anymore. I’m happier now. tnx to its clever author.
As I told Giorgio, all the problems will be reported to him first ;)
Woohoo! You/We/They/or whatever! can still use unicode in some places!
NoScript cannot find out special unicode characters which mean something in ASP:
PoC:
http://Example.com/VulnFile.asp?DangInput=%u2329scr%u0131pt%u232A%u212Fval(‘alert’%2b'(“NoScript Bypass in ASP!\\nBy Soroush Dalili”)’)%u2329/scr%u0131pt%u232A
In this example I selected the characters from: http://rishida.net/scripts/uniview/uniview.php . For instance:
%u2329 = <
%u0131 = i
%u232A = >
%u212F = e
From Microsoft point of view! Therefore, IE8 XSS prevention can detect this encoding and NoScript cannot detect it.
Doesn’t work in all Classic ASP applications. Only if you work with the standard configuration. More details and examples at http://zend.lojcomm.com.br/entries/fixing-classic-asp-requestquerystring-unicode-utf/
Giorgio addresses this here: http://hackademix.net/2010/08/17/lost-in-translation-asps-homoxssuality/
No thanks to your lack of responsible disclosure.
@Fabio: If you validate all of your user’s input data, there is no need to worry about an XSS attack. Whenever ASP receives these special encoded characters, it converts them to the final shape from the first. In other words, ASP does not even know that someone sends an encoded message for it, because it can only see the final converted characters. For example, if you send “%u2329” to an ASP file, there is not any normal way in this ASP file to reach to the exact UTF16 value, and you can only see “<" character. (If you capture whole of QUERY_STRING completely, it is possible to detect receiving "%u2329" value) @Rushyo: I'll do it next time dude :)
For the record, NoScript 2.0.2rc2 & later solves this problem.