Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sonar Source people go crazy on web security issues! Definitely one of the best blogs to read through for cutting edge security research. In this case, they have a wild XSS in the Joomla CMS.

The CMS was removing all HTML tags besides ones that were not explicitly allowed. To do this, the function cleanTags removes all of the illegal content about the tag (attributes and things) but leaves the value within the tag alone.

This code is very security sensitive. So, while reviewing the implementation in detail, they noticed that mb_strpos and mb_substr handle invalid UTF-8 sequences differently. Formb_strpos, if it encounters an invalid sequence it jumps back to the second byte being processed. The other function skips over the continuation bytes when this happens.

The inconsistency creates a major problem - it may be possible to smuggle in angle brackets and other useful characters by abusing this. Since one function uses a different index than another, it processes different information. By inserting multiple invalid UTF-8 sequences to break the offsetting math in the various functions.

By inserting multiple invalid UTF-8 sequences to break the offsetting math in the various functions. For instance, \xF0\x9FAAA<BB will see the invalid sequence and add the <BB as a valid part of the processing even though much of it was thrown out.

PHP actually fixed the underlying issue to this problem but didn't backport it because they didn't consider it a security issue. Overall, a fascinating issue of exploiting the intricacies of multibyte characters. Super post with awesome diagrams explaining the vulnerability.