Focus on IDS
Detection evasion technique by invalid UTF-8 sequences Mar 23 2009 02:44AM
bugtraq01 hash-c co jp (1 replies)
Title: Detection evasion technique by invalid UTF-8 sequences
Reported By: Hiroshi Tokumaru of HASH Consulting Corp.
Impact: A remote attacker can evade detection.


Invalid UTF-8 sequences are ignored in ASP.NET 1.1.
This may be used for the detection evasion of IDS/IPS/WAF.

Problem 1

Affected Environment:
Web sites written by ASP.NET 1.1 and using UTF-8 character encoding.


Invalid UTF-8 sequences are ignored.

Sample script (ex1.aspx):

<%= Request.QueryString("p") %>

Input: http://hostname/ex1.aspx?p=dec%E6lare
Output: declare

Problem 2 (Reference Information)

Affected Environment:
All Web Sites written by Legacy ASP (Active Server Pages).


Percent(%) symbols are ignored in the case of invalid

Sample script (ex2.asp):

<%= Request.QueryString("p") %>

Input: http://hostname/ex2.asp?p=dec%lare
Output: declare

This problem was reported by LAC Corporation on Oct. 2, 2008. (Japanese)


Detection by IDS/IPS/WAF(Web Application Firewall) is evaded by
inserting invalid UTF-8 sequences on the way of SQL keywords(select,
union, declare and so on).

Solution and Workaround

* Considering Character encoding on detecting by IDS/IPS/WAF.
* Migration to ASP.NET 2.0
The 1st problem is resolved in ASP.NET 2.0.
* Fixing Vulnerabilities.


This vulnerability was reported by Hiroshi Tokumaru of
HASH Consulting Corporation(


secuinfo (at) hash-c (dot) co (dot) jp [email concealed] (Hiroshi Tokumaru Personal Blog)

[ reply ]
Re: Detection evasion technique by invalid UTF-8 sequences Mar 27 2009 01:11AM
Frank Knobbe (frank knobbe us)


Privacy Statement
Copyright 2010, SecurityFocus