2008-12-17

WebLogic and Non-English Character Sets

I want to discuss more in depth about the vulnerability Matt Presson and I have been working on. Apparently if you have a Weblogic server  and you accept international characters but you have the page encoding set to ISO 8859-1 then you are vulnerable to a whole mess of xss attacks and any script listed in my previous blog post will execute. What seems to happen, we are still trying to find the exact cause, is that the web server will truncate the upper bytes when returning the request. so if you entered 0x013C the response will contain 0x3C which is of course '<' and freakin vulnerable ;) This will get past the default output encoding that is done in <bean:write which uses the function ResponseUtils.filter() to actually do all of its output encoding. If your use StringEscapeUtils.escapeHtml() from apache commons lang then all your output will be encoded correctly and this is demonstrated by the war file Matt Presson released.

I also modified Matt's code so that the regular POST is also vulnerable. The ajax post was vulnerable because it called encodeURIComponent from javascript. If you set the form to accept-charset="UTF-8" then the data will be encoding the same as with encodeURIComponent.

   <form name="dataForm" id="form" method="POST" action="/International/execute/Display" accept-charset="UTF-8">


Below is a video of the the attack being exploited both in ajax and in a regular post.



I have currently tested this on tomcat and glassfish and was unable to get the same results so it seems to primarily be a weblogic issue.


I would like to thank Gareth Heyes for giving me a hacker tag in hackvertor to perform this expoit.!!!!