Mar 3, 2009 - case folding best-fit mapping. 17 planes ... Root Causes. IDN â Internationalized Domain Names ... Guida
Exploiting Unicode-enabled Software
Exploiting Unicode-enabled Software
CanSecWest March 2009
Chris Weber www.lookout.net
[email protected] Casaba Security
PETA Certified Presentation • People for the Ethical Treatment of ASCII – “No ASCII characters were harmed in the making of this presentation.”
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Exploiting Unicode-enabled Software Agenda
• • • •
Unicode crash course Root Causes Attack Vectors Tools – Find Unicode issues in Web-testing – Visual Spoofing Detection API
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Exploiting Unicode-enabled Software Agenda
• • • •
Unicode crash course Root Causes Attack Vectors Tools
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Unicode Crash Course 1991 1990 1985
• Unicode • ISO 10646 (UCS) • ISO-8859-1 • More code pages galore
1981
• MBCS
1981 1964 1963
• CP437 • EBCDIC • ASCII 7-bit
• GB2312
•
8th bit free-for-all to follow
www.casabasecurity.com
Unicode Crash Course Code pages and charsets
Shift_jis Gb2312 ISCII Windows-1252 ISO-8859-1 EBCDIC 037
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Unicode Crash Course Ad Infinitum
• Unicode can represent them all • ASCII range is preserved – U+0000 to U+007F are mapped to ASCII
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Source: Wikipedia March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Unicode Crash Course The Unicode Attack Surface
• • • • •
March, 2009
End users Applications > "onerror="alert(1)"
becomes
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Root Causes Guidance for Charset Mismatches
• Force UTF-8 • Error if uncertain
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Exploiting Unicode-enabled Software Agenda
• • • •
Unicode crash course Root Causes Attack Vectors Tools
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Exploiting Unicode-enabled Software Agenda
• • • •
Unicode crash course Root Causes Attack Vectors Tools
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools • Watcher – Web-app security testing and auditing
• Visual Spoofing Detection API – Providing guarantees against Visual Spoofing and Homograph attacks
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools Watcher – Some of the Passive Checks Included • • • • • • • • • •
Unicode transformation hot-spots User-controlled HTML Cross-domain issues Insecure cookies Insecure HTTP/HTTPS transitions SSL protocol and certificate issues XSS hot-spots Flash issues Silverlight issues Information disclosure
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools Watcher - Web-app Security Testing and Auditing
http://websecuritytool.codeplex.com
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools Visual Spoofing Detection API
• Problem – Unicode enables visual-spoofing-maximus
• Solution – Confusable detection – Invisibles detection – Syntax spoof detection – more
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools Visual Spoofing Detection API
• Cross-platform component library written in C • Can be applied in user-agents or any software: – Browsers – Email clients
• Planned for release Fall 2009 • Email me with questions March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Tools Visual Spoofing Protection Demo
March, 2009
www.casabasecurity.com
© 2009 Chris Weber
Thank you! Contact me with questions, new test cases, or ideas to share.
Visit my website for test cases, Unicode and security tools, and the Anti-Visual-Spoofing API. Chris Weber www.lookout.net Casaba Security www.casabasecurity.com
