Charset Vulnerabilities
The following is a list of charsets that have known vulnerabilities in them that allow them to be susceptible to filter evasion. Please see the calculator at h4k.in for details on conversion.
Charset | IE7.0 | IE6.0 | Firefox 2.0.0.2 | Opera 9.02 | Notes |
BIG5 | X | X | Variable width encoding: 129-254 | ||
BIG5-HKSCS | X | X | Variable width encoding: 129-254 | ||
CP850 | |||||
EUC-JP | X | X | X | Variable width encoding: 129-254 in IE, In Firefox vulnerable to 143 | |
EUC-KR | X | X | Variable width encoding: 129-254 | ||
GBK | X | X | Variable width encoding: 129-254 | ||
GB18030 | |||||
GB2312 | X | X | Variable width encoding: 129-254 | ||
HZ-GB-2312 | X | X | Variable width encoding: 129-254 in IE and 126-255 in Firefox | ||
IBM852 | |||||
IBM855 | |||||
IBM862 | |||||
IBM864 | |||||
IBM866 | |||||
KOI8-R | |||||
KOI8-U | |||||
ISO-2022-CN | X | X | Variable width encoding: 129-252 | ||
ISO-2022-JP | X | X | Variable width encoding: 129-254 | ||
ISO-2022-KR | Doesn't display previous click history from the page in Opera | ||||
ISO-8859-1 | |||||
ISO-8859-2 | |||||
ISO-8859-3 | |||||
ISO-8859-4 | |||||
ISO-8859-5 | |||||
ISO-8859-6 | |||||
ISO-8859-7 | |||||
ISO-8859-8 | |||||
ISO-8859-9 | |||||
ISO-8859-10 | |||||
ISO-8859-11 | |||||
ISO-8859-12 | |||||
ISO-8859-13 | |||||
ISO-8859-14 | |||||
ISO-8859-15 | |||||
ISO-8859-16 | |||||
SHIFT_JIS | X | X | X | Variable width encoding: 129-252 | |
TIS-620 | |||||
UTF-16 | X | X | X | X | Vulnerable to null byte injection |
UTF-16BE | X | X | X | X | Vulnerable to null byte injection and BOM injection if the charset is mis-set in Firefox |
UTF-16LE | X | X | See UTF-16 | ||
UTF-32 | |||||
UTF-32BE | |||||
UTF-32LE | |||||
UTF-7 | X | X | X | X | Uses UTF-7 Syntax which uses no angle brackets |
UTF-8 | |||||
US-ASCII | X | IE6.0 was vulnerable to US-ASCII encoding 7 bit chars. | |||
USC-4 | |||||
Windows-1250 | |||||
Windows-1251 | |||||
Windows-1252 | |||||
Windows-1253 | |||||
Windows-1254 | |||||
Windows-1255 | |||||
Windows-1256 | |||||
Windows-1257 | |||||
Windows-1258 | |||||
X-ISO-10646-UCS-4-2143 | |||||
x-mac-centraleurroman | |||||
x-mac-cyrillic | |||||
x-mac-greek | |||||
x-mac-turkish |
Note: just because something isn't marked insecure doesn't mean it's secure (it also may not have been tested thoroughly). Please use this only as a guide, not as a rule book.