17

I've recently read Ned Batchelders article on UTF-7 XSS-attacks. I tested his examples, but could not get any UTF-7 attack to work in modern browsers. I tried recent versions of Firefox, Chrome and Safari so far.

I know that Chrome has some XSS-attack prevention mechanisms but to my experience, Firefox has a more "generous" mechanism of executing javascript, even when it's broken - however, none of these browsers seems to select the UTF-7 charset by default if the site is using (but not explicitly declaring) it.

So: Does anybody know why this is not working anymore? It seems that the UTF-7 detection mechanism has changed, maybe even for security reasons? Can UTF-7 attacks still target modern browsers if there is no way to change charset declaration within the document or manipulate the headers?

Anders
  • 64,406
  • 24
  • 178
  • 215
Michael Helwig
  • 365
  • 1
  • 2
  • 10

2 Answers2

15

This exploit is only possible in old versions of Internet Explorer. Modern browsers will not auto detect the encoding as UTF-7.

OWASP:-

This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported.

Wikipedia:-

To mitigate this problem systems should perform decoding before validation and should avoid attempting to autodetect UTF-7. Older versions of Internet Explorer can be tricked into interpreting the page as UTF-7.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Thanks, I was hoping there is more information on this topic but maybe that is all there is to say. – Michael Helwig Dec 26 '13 at 19:34
  • 1
    IE will render UTF-7 pages if it is stated in the `content-type`, the only change is that IE's content sniffing no longer attempts UTF-7 encoding. – rook Sep 30 '14 at 16:40
6

Chrome and Firefox seem to no longer support UTF-7 in any format. The HTML5 specification says:

User agents must support the encodings defined in the WHATWG Encoding standard. User agents should not support other encodings.

User agents must not support the CESU-8, UTF-7, BOCU-1 and SCSU encodings. [CESU8] [UTF7] [BOCU1] [SCSU]

Support for encodings based on EBCDIC is especially discouraged. This encoding is rarely used for publicly-facing Web content. Support for UTF-32 is also especially discouraged. This encoding is rarely used, and frequently implemented incorrectly.

Jason Gross
  • 161
  • 1
  • 4