A recent whitehat scan made me realize that SQL Server is best suited for Unicode conversion. This means that when a string containing Unicode characters is converted to a string other than Unicode, SQL Server will make the best replacement for the characters that it can, so as not to garbage data with question marks. For example:
SELECT 'ŤĘŞŤ'
TEST Outputs
Each character is replaced with a "similar" ASCII equivalent. This can also be seen on one character, where the Unicode character 65308 (<) is converted to the ASCII character 60 (<).
SELECT ascii(NCHAR(65308))
Outputs "60"
The main question is: where is this documented? I have Googled for all kinds of phrases and read Microsoft docs, but all I can find are people who are looking for manual conversions and nothing that documented SQL Server seems automatic is best suited for Unicode conversions. Also, is it possible to disable or configure this?
While the behavior is convenient for applications that do not store strings as unicode and are probably completely seen in most scenarios, penetration tests report this as "high" because Unicode conversions can be used to bypass validation procedures and lead to volcanoes such as xss.
source
share