4.0

222
encoding can be used.
If the web server doesn’t specify which character encoding is in
use, it can’t tell which characters are special. Web pages with unspecified
character encoding work most of the time because most
character sets assign the same characters to byte values below
128. But which of the values above 128 are special? Some 16-bit
character-encoding schemes have additional multi-byte representations
for special characters such as “’ works as a closing bracket
for a HTML tag. In order to actually display this character on the
web page HTML character entities should be inserted in the page
source. The injections mentioned above are one way of encoding.
There are numerous other ways in which a string can be encoded
(obfuscated) in order to bypass the above filter.
For the above script to work, the browser has to interpret the web
page as encoded in UTF-7.
Multi-byte Encoding
Variable-width encoding is another type of character encoding
scheme that uses codes of varying lengths to encode characters.
Multi-Byte Encoding is a type of variable-width encoding that
uses varying number of bytes to represent a character. Multi-byte
encoding is primarily used to encode characters that belong to a
large character set e.g. Chinese, Japanese and Korean.
Multibyte encoding has been used in the past to bypass standard
input validation functions and carry out cross site scripting and
SQL injection attacks.
References
• http: /en.wikipedia.org/wiki/Encode_(semiotics)
• http: /ha.ckers.org/xss.html
• http: /www.cert.org/tech_tips/malicious_code_mitigation.html
• http: /www.w3schools.com/HTML/html_entities.asp
• http: /www.iss.net/security_center/advice/Intrusions/2000639/default.htm
• http: /searchsecurity.techtarget.com/expert/Knowledgebase-
Answer/0,289625,sid14_gci1212217_tax299989,00.html
• http: /www.joelonsoftware.com/articles/Unicode.html