4.0

222encoding can be used.If the web server doesn’t specify which character encoding is inuse, it can’t tell which characters are special. Web pages with unspecifiedcharacter encoding work most of the time because mostcharacter sets assign the same characters to byte values below128. But which of the values above 128 are special? Some 16-bitcharacter-encoding schemes have additional multi-byte representationsfor special characters such as “’ works as a closing bracketfor a HTML tag. In order to actually display this character on theweb page HTML character entities should be inserted in the pagesource. The injections mentioned above are one way of encoding.There are numerous other ways in which a string can be encoded(obfuscated) in order to bypass the above filter.For the above script to work, the browser has to interpret the webpage as encoded in UTF-7.Multi-byte EncodingVariable-width encoding is another type of character encodingscheme that uses codes of varying lengths to encode characters.Multi-Byte Encoding is a type of variable-width encoding thatuses varying number of bytes to represent a character. Multi-byteencoding is primarily used to encode characters that belong to alarge character set e.g. Chinese, Japanese and Korean.Multibyte encoding has been used in the past to bypass standardinput validation functions and carry out cross site scripting andSQL injection attacks.References• http: /en.wikipedia.org/wiki/Encode_(semiotics)• http: /ha.ckers.org/xss.html• http: /www.cert.org/tech_tips/malicious_code_mitigation.html• http: /www.w3schools.com/HTML/html_entities.asp• http: /www.iss.net/security_center/advice/Intrusions/2000639/default.htm• http: /searchsecurity.techtarget.com/expert/Knowledgebase-Answer/0,289625,sid14_gci1212217_tax299989,00.html• http: /www.joelonsoftware.com/articles/Unicode.html