Collaborate Disseminate
Recently, there has been an absolute massive flood of scammers on YouTube videos related to Bitcoin. Their "trick" is to use the exact same username and profile picture as the person who uploaded the video, for example "MMCr… Continue reading How is it possible for scammers on YouTube to use the same exact username as the author of the video?
On a particular page in this application, we have a form which allows for a very select few to input data into it, because at the end of the day (and, well, event loop) we end up wrappping that input in to an eval which we highly sanitize … Continue reading Zero width character causing Javascript runtime error
I am doing some xss challenges and I have a challence that has angle brackets, single, double quotes, backslash and backticks Unicode-escaped when I enter them in the search box.
How can I bypass this filter ? I searched google but found n… Continue reading How to do and XSS on angle brackets, single, double quotes, backslash and backticks Unicode-escaped
I am building a web application in which a third party library is used, which transforms the user input into JSON and sends it to an controller action. In this action, we serialize the input using the standard Microsoft serialize from the … Continue reading Is unicode character encoding a safe alternative for html encoding when rendering unsafe user input to html?
An innocent-looking message, containing characters in the Sindhi language, can cause your iPhone to crash without warning.
Read more in my article on the Hot for Security blog.
Continue reading Text ‘bomb’ crashes iPhones, iPads, Macs and Apple Watches – what you need to know
Are there any character encoding mixup attacks that are still a threat in 2020? Such as with XSS or SQL injection being the most obvious.
Some examples:
Tricking a browser to display a page in UTF-7 despite XSS filtering was done in UT… Continue reading XSS / SQL Injection Attacks with Character Encoding Mixups
I once encountered a very interesting type of XSS on a website purely by accident. This website allows users to upload PDFs, and will open the PDF in browser with some builtin Javascript. What happened was I uploaded a paper of mine that c… Continue reading PDF fonts, encodings, and risk potentials interacting with web browser
Say we have a server-side code does a whitelist validation of allowed file extensions when user uploads a file:
// Java code
if (allowedExtensionsInLowercase.contains(fileExtension.toLowerCase())) {
// File allowed
} else {
// Booh, bad… Continue reading Is there a list of Unicode symbols that matches ASCII when lowercased (in java)?
Unicode, the wonderful extension to to ASCII that gives us gems like “✈”, “⌨”, and “☕”, has had some unexpected security ramifications. The most common problems with Unicode are visual security issues, like character confusion between letters. For example, the English “M” (U+004D) is indistinguishable from the Cyrillic “М” (U+041C). …read more
Continue reading This Week in Security: Unicode, Truecrypt, and NPM Vulnerabilities
I’ve got two byte sequences, and I decode them as UTF-8 (in strict mode to be sure they’re valid UTF-8).
Is it correct to assume that, if the bytes are different, the decoded codepoints will also be different?
In other word… Continue reading Is UTF-8 malleable?