.

Well I was close that was one of the meta tags
Looks like SEO is a good thing for security too

too bad there aren't any second prizes.


btw there are a few scripts around the challenge sites that aren't that bulletproof against this known problem. I'm too uninterested to develop exploits for all this, but scripts like
http://www.net-force.nl/challenge/level407/LeetSS/readme/?show=something_that_will_be_echo'ed_back_without_explicit_charset

look to me as if there is a large chance they are vulnerable to a lot of charset messing. but hey, who knows. I would expect Eierkoek's code to be safe... I would however add some charset header, just to be cautious

i got bored when my utf7 didn't work, probably cause there's a stray "-" you probably need to master somehow(also don't forget that + in http means space you you need to html encode your utf7 encoding ). Let me know if you guys wrestle up some exploits.

Impressive find rhican. Would you say this is a commonly exploited piece?
More details of this exploit would be lovely
Thanks anyways

these types of exploits are what typically breaks high risk websites like google. which otherwise have impeccable filters.
http://www.securiteam.com/securitynews/6Z00L0AEUE.html

it is less common, but perhaps more dangerous because of it. It's as old as the street, but people still think filtering the less than sign is more than sufficient. Because they are stupid that way. however, exploits are less reliable since they depend on the browser more, and it requires more effort than usual xss/content injnection.

Thanks Rhican! Very interesting article.
One thing I will now take notice of!
Surely this problem can be fixed by using default options on IDE's like Dreamweaver when making pages.
Is it just the UTF-7 encoding exploitable or is many other charsets?

(Appologies if these are noobish questions )

you can even exploit php addslashes when some charsets are used:

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

there are quite a few charset that can be used to fool filters.

I'll leave you the joy of compiling a comprehensive list, and sharing it. I'm not going to bother compiling my bookmarks.

.

Thats pretty interesting, ive never known about character encoding exploitation.