Finding bad characters can be an exhausting task

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Finding bad characters can be an exhausting task

Post by luntrus »

Hi forum friends,

I posted about this here: https://forum.avast.com/index.php?topic=61473.0
I wonder if NoScript is also neutralizing these?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.19) Gecko/2010062819 Firefox/3.0.19 Flock/2.6.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Finding bad characters can be an exhausting task

Post by Giorgio Maone »

Characters can be "bad", but they're hardly malicious.

And what's bad really depends on context. Some character which is "bad" in UTF-8 (a malformed sequence), can represent 2 or 3 valid characters in another charset, e.g. a latin variant.
A "0" byte is an ending sequence in UTF-8 (thus "bad" in the middle of a string), but is extremely common in UTF-16.

So unless you're a developer testing the output or the input of his program for malformed strings, or you're writing a parser/validator, there's no need to worry about "bad" characters.

For what is worth, NoScript's XSS filter is charset-aware, and therefore tries to correctly handle "bad" characters when performing its checks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Post Reply