| Sign in

A source-to-source translator for securing Javascript-based web content

Project Home		Downloads		Wiki		Issues		Source

Search

End-user's Guide

Integration Guide

Developer's Guide

Design Decisions

Releases

CajaVersions

Community

External articles about caja
Containers that use caja
Mailing lists
Ideas and feature requests

RefactoringToolFeatureRequests

Glossary of common terms
All wiki pages

Updated Jun 04, 2008 by mikesamuel
Labels:	Attack-Vector

NullCharEscapes

cannot match protocol of an absolute URL via String.startsWith.

Null characters in URL can disguise protocols such as `javascript:`.

Effect

Unsanitized code can be embedded in comments, and conditional compilation might disable runtime assertions.

Background

RFC 3986 allows the following characters in a URI scheme:

scheme      = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )

IE apparently allows, and silently removes, certain characters from URLs.

Collin Jackson reports that unicode code point 65533 is one of those.

The last 4 code points in 32b unicode are:

0xfffc - Object replacement character, a placeholder
0xfffd (65533) - Replacement character, represents an unknown character
0xfffe - Not a character
0xffff - Not a character

http://www.mozillazine.org/talkback.html?article=4078 talks about wider exploits due to null bytes %00 in URLs.

Assumptions

URL html attribute not stripped of null characters,

OR

URLs not restricted to absolute urls with a whitelisted protocol

OR

URLs not normalized.

Versions

Example

<iframe src="java&#65533;script:alert(42)"></iframe>

Sign in to add a comment