UTF-7 XSS attacks in modern browsers

Question

I've recently read Ned Batchelders article on UTF-7 XSS-attacks. I tested his examples, but could not get any UTF-7 attack to work in modern browsers. I tried recent versions of Firefox, Chrome and Safari so far.

I know that Chrome has some XSS-attack prevention mechanisms but to my experience, Firefox has a more "generous" mechanism of executing javascript, even when it's broken - however, none of these browsers seems to select the UTF-7 charset by default if the site is using (but not explicitly declaring) it.

So: Does anybody know why this is not working anymore? It seems that the UTF-7 detection mechanism has changed, maybe even for security reasons? Can UTF-7 attacks still target modern browsers if there is no way to change charset declaration within the document or manipulate the headers?

Answer 1

This exploit is only possible in old versions of Internet Explorer. Modern browsers will not auto detect the encoding as UTF-7.

OWASP:-

This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported.

Wikipedia:-

To mitigate this problem systems should perform decoding before validation and should avoid attempting to autodetect UTF-7. Older versions of Internet Explorer can be tricked into interpreting the page as UTF-7.

Answer 2

Chrome and Firefox seem to no longer support UTF-7 in any format. The HTML5 specification says:

User agents must support the encodings defined in the WHATWG Encoding standard. User agents should not support other encodings.

User agents must not support the CESU-8, UTF-7, BOCU-1 and SCSU encodings. [CESU8] [UTF7] [BOCU1] [SCSU]

Support for encodings based on EBCDIC is especially discouraged. This encoding is rarely used for publicly-facing Web content. Support for UTF-32 is also especially discouraged. This encoding is rarely used, and frequently implemented incorrectly.