IIS 6.0 Server and Unicode Characters
- by Srikanth
We are performing a pen test on a simple asp application that uses MS SQL Database. It seems for the authentication they are using dynamic constructed queries but escaping single qoutes.
When we use Unicode quotes like %uFFO7,%u02b9 etc we are able to successfully inject SQL injections.
Want to understand is it more a kind of configuration issue of IIS server to cannonicalize Unicode characters or the way the validation function to escape single quotes is written is the cause of the problem?