Profile cover photo
Profile photo
Abraham Kang
31 followers
31 followers
About
Posts

Trying different account
0x53d9Ed0fE696895AaEcfacb9BE84c749e3390aef
Add a comment...

Programming crytpo currency
0x4Cf95eCAcDD29a82dFb8c86837f1e2E328F26d3e
Add a comment...

Post has attachment

Post has attachment

Post has attachment

Post has attachment

Post has attachment

Post has attachment
I know I have been quiet for a while but wanted to start reaching out to people again.

I am working on a book / guide called either "Avoiding the pitfalls of Static Analysis" or "Getting the Most Out of Static Analysis".

Let me know if you think the content is helpful
Add a comment...

What about the following:

//Declaring a String executes code
String Spanish_EULA =  "\u0022\u003b\u0074\u0072\u0079\u0020\u007b\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0022\u006f\u0070\u0065\u006e\u0020\u002d\u0061\u0020\u0043\u0061\u006c\u0063\u0075\u006c\u0061\u0074\u006f\u0072\u0022\u0029\u003b\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0049\u004f\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0065\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u007d\u0074\u0072\u0079\u0020\u007b\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0022\u0063\u0061\u006c\u0063\u0022\u0029\u003b\u007d\u0020\u0063\u0061\u0074\u0063\u0068\u0020\u0028\u0049\u004f\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0020\u0065\u0029\u0020\u007b\u0065\u002e\u0070\u0072\u0069\u006e\u0074\u0053\u0074\u0061\u0063\u006b\u0054\u0072\u0061\u0063\u0065\u0028\u0029\u003b\u007d\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0078\u0020\u003d\u0020\u0022";

Unicode character escaping is similar to HTML escaping in the minds of most people.  When you HTML encode strings you expect them not to be evaluated as mark up.  Similarly, if you unicode encode strings you expect the characters to be treated as text not code.  Jeff, you wrote the XSS Cheat Sheet.  You know what am talking about.

If the spec allows this then it should be changed for the above reason.
Add a comment...

Well I got a lot of feedback from the disclosure.  Some people, and rightly so pointed out that this had been disclosed a while ago.  They are correct to a certain extent but they way I used it was counter to what was expected.

What was disclosed before looked like:

/*
\u00a3\u003c…
*/

and 

<%\u00a3\u003c…%>

Good findings but when a code reviewer looks at these they will instantly know something is up.

What about the following

System.out.println("Russian EULA:  \u00a3\u003c…");

The whole purpose of the unicode encodings was to allow you to embed unicode characters into your program.

System.out.println("\u0053\u0074\u0061\u0072\u0074\");

Prints "Start"

A normal developer would think that Unicode characters in between quotes would be treated as text.  Unfortunately, as my previous posting shows, this is not the case.

I think this is a bug or an oversight in the Java spec.  

Because the bad guys can used this to hide code without raising suspicions I think it is a vulnerability.

Respectfully,
Abe
Add a comment...
Wait while more posts are being loaded