Developers tend to assume everything
is HTTP 200 (OK). It is worth attempting to trigger other responses than simply
HTTP 200s and try injecting scripts.
HTML Injection Using UTF-7 Encodings
If a user has Auto-Select encoding set (by choosing View | Encoding | Auto-Select) in IE,
an attacker can circumvent most HTML injection preventions. As mentioned earlier,
HTML injection prevention generally relies upon escaping potentially harmful characters.
However, UTF-7 encoding uses common characters that are not normally escaped,
or depending on the web application, may not be possible to escape. The UTF-7 escaped
version of is this:
+ADw-script+AD4-alert(1)+ADw-/script+AD4-
Note that this is an uncommon attack because users generally do not have Auto-
Select encoding turned on. There exists other UTF encoding attacks that leverage the
variable length of character encodings, but this requires extensive knowledge of UTF
and is out of scope for this book. However, this issue introduces how neglecting other
encodings like MIME types can lead to HTML injection.
HTML Injection Using MIME Type Mismatch
IE has many surprising and undocumented behaviors.
Pages:
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118