More on scripts with non-english characters

In my last post I discussed an interesting find where I was able to execute scripts on a page by submitting double-byte characters in the input form.  The execution happens in part due to the fact that the resulting page is set to use ISO-8859-1 character encoding which truncates the high order byte of the double-byte character. 

As I have been asked numerous questions since, I thought I would mock up a simple application to demonstrate this phenomenon.  The sample application uses the same technology that the application in my previous post uses - Struts 1.3.8, DHTMLSuite, and JSPs.  You can download this sample application from Google Code here.  Some of you may have to recompile the war as Eclipse optimized it to run on BEA WebLogic 9.2, but this should cause any significant heartburn.

When you deploy the .war file, simply access the demo by typing http://servername<:port>/International/execute/DisplaySetup in your favorite browser.  The top form on the page does a normal form submit.  The resulting page you see should not execute any scripts due to the data submission.  Once you have enough fun with that, go back to the form page and try out the bottom form which uses DHTMLSuite to submit the form and display the results to a div located on the same page.

If you would like a small list of sample strings you can use in this application to demonstrate to others, check out my colleagues' blog over at http://pentesterconfessions.blogspot.com/.

Hope this explains a lot.