from.hell

Security risks associated with utf8_decode and XSS filters

BlackHat USA 2009; Eduardo Vela Nava (sirdarckcat) and David Lindsay presented a paper entitled “Our Favorite XSS Filters and How to Attack Them”. Very interesting paper, you should definitely take a look at it.

In this paper, besides other things, they presented a very interesting way to bypass XSS filters using Unicode charcters.


XSS : vuln.php?input=%F6%3Cimg+onmouseover=prompt(/xss/)//%F6%3E
SQLi : index.php?username=test%FC%27%27+or+1=1+–+&password=a


outch.